ACSIA XDR Plus Installation and User Administration Guide - v5.x.x

This guide applies only to ACSIA XDR Plus version 5.0.0 up and above

1. Preface

This guide will walk you through the prerequisites to install ACSIA, product installation and configuration details, administration, troubleshooting deployment and Frequently Asked Questions.

2. What is ACSIA XDR Plus?

ACSIA is an Automated Cyber Security Intelligence Application which enables organizations to protect themselves against malicious attacks and unauthorized entities targeting their data.

3. Installation and Configuration

Like any other software application, ACSIA needs some preliminary requirements to be satisfied to communicate with connected clients and perform its tasks.

3.1. Prerequisites

3.1.1. Minimum Requirements

ACSIA Server platform requires the following minimum specs:

The server can be deployed in a physical or virtual environment
In the case of a virtual environment, the server will need a Virtual Machine, and it can run on every hypervisor of choice (VMWare, HyperV, VirtualBox, Proxmox, etc...) but not on containers (Docker, Kubernetes, LXD, LXC, Vagrant, etc...)
Any Linux distributions can be used.
16 GB RAM (on virtual environments, they must be dedicated)
8 vCPU
200 GB Storage SSD (as a minimum depending on retention policy)
Network connectivity (to download and install the server, receive our threat intelligence feeds, connect with the clients, upgrade the system and verify the license)
Partitioning: There is no specific partitioning required for ACSIA VM; however, when ACSIA is hosted on-prem (outside cloud platforms), it is strongly recommended to set up an LVM partition so the storage can be easily extended

To perform the installation it's required full internet connectivity. Once the installation is completed you can reduce the connectivity only to the URLs indicated in the following table.

Source	Destination	Protocol	Port	Note
ACSIA Server	wimi.xdrplus.com	TCP	443	Public IP and Latest Release
ACSIA Server	license.acsia.io	TCP	5150	License Activation (TLS Enabled)
ACSIA Server	nexus.acsia.io	TCP	443	Download Updates

The connectivity is required at all times (private and public keypair verification for license), although ACSIA allows up to 48 hours of connection loss before it enters an unlicensed state. The only exception to this requirement is where ACSIA is deployed from Amazon AWS Marketplace.

The specification above would support a typical standard workload of 100+ monitored hosts. ACSIA scales relatively linearly, so additional resources will support larger client environments.

ACSIA Client (with the agent) requires the following minimum specs:

The agent can be deployed on every OS (even in VMs), but we strongly advise using updated systems and that our support can be limited on operating systems that the respected vendors do not officially support
Currently, we don't have any minimum requirements for CPU, RAM and Storage because our agents are highly lightweight in terms of hardware consumption. We suggest performing the installation on a machine with at least 2GB of free space.
It works with every OS (Linux with kernel later than the version 2.6 and every version of Windows and macOS
Network connectivity toward ACSIA Server (as specified below)

3.1.2. Web UI Network ports

To access ACSIA’s Web UI, you will need to open the following ports between your workstation (Laptop/Desktop/PC) and the ACSIA server:

Source	Destination	Protocol	Port	Note
Any PC that manages ACSIA	ACSIA Server's IP	TCP	443	Used for HTTPS
ACSIA Server's IP	license.acsia.io	TCP	5150	License Activation

3.1.3. ACSIA client-server ports using Agent installation

If you choose to deploy the ACSIA agent on the clients (servers or workstations), the only requirement for the agent to be able to communicate with the ACSIA server is the TCP port 443 (HTTPS) and 444 (TCP/UDP). If these ports are not open, please make sure to have them opened.

Source	Destination	Protocol	Port	Note
Any host with the ACSIA Agent	ACSIA Server's IP	TCP	443	Used for Connections
Any host with the ACSIA Agent	ACSIA Server's IP	TCP & UDP	444	Used for Pulls
Any host with the ACSIA Agent	wimi.xdrplus.com	TCP	443	Used to pull the IP

3.1.4. ACSIA client-server ports agentless deployment

ACSIA Server communicates with clients via the following communications ports; therefore, you will need to enable your firewall the following rules if you choose the agentless deployment:

Source	Destination	Protocol	Port	Note
Any host with the ACSIA Agent	ACSIA Server's IP	TCP	1515	Used for Connections
Any host with the ACSIA Agent	ACSIA Server's IP	UDP	1514	Used for Connections
Any host with the ACSIA Agent	ACSIA Server's IP	TCP	5044	Used for Connections
ACSIA Server's IP	Any Windows host	TCP	5986	Used for Push
ACSIA Server's IP	Any Linux host	TCP	22	Used for Push

3.1.5. ACSIA Proxy configuration - Only if you have Proxy

If you have a proxy and your servers (ACSIA VM and your server to be monitored) for your servers to go out on the internet, please apply the following instructions.

3.1.5.1 Setting Up Permanent Proxy for All Users

To permanently set up proxy access for all users, you have to edit the /etc/environment file.

Step 1 - First, open the file in a text editor:

sudo nano /etc/environment

Step 2 - Next, update the file with the same information you added to the .bashrc file in the previous scenario:

export HTTP_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export HTTPS_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export FTP_PROXY="[username]:[password]@ [proxy-web-or-IP-address]:[port-number]"
...
export NO_PROXY="localhost,127.0.0.1,::1"

Step 3 - Save the file and exit. The changes will be applied the next time you log in.

3.1.5.2 Setting Up Proxy for APT

On some systems, the apt command-line utility needs a separate proxy configuration, because it does not use system environment variables.

Step 1 - To define proxy settings for apt, create or edit (if it already exists) a file named apt.conf in /etc/apt directory:

sudo nano /etc/apt/apt.conf

Step 2 - Add the following lines to the file:

Acquire::http::Proxy "http://[username]:[password]@ [proxy-web-or-IP-address]:[port-number]";
Acquire::https::Proxy "http://[username]:[password]@ [proxy-web-or-IP-address]:[port-number]";

Step 3 - Save the file and exit. The configuration will be applied after a reboot.

The option NO_PROXY, in addition to what is specified above as parameters, you will need to add your internal networks and subnets where the monitored devices are located (your servers or PCs network). Otherwise, you will have connectivity issues between ACSIA and those networks when you try to add them to the services to be monitored by ACSIA. This is because the proxy will be unlikely to be able to reach out to those networks.

Any changes affecting the above variables must be notified to ACSIA via configureHttpProxy command followed by acsia_restart (this is for when ACSIA installation is already completed).

3.2. ACSIA Server installation

Prepare a Linux VM (i.e. Ubuntu 20.04 is currently supported, please check release notes for ACSIA) to host the ACSIA server and ensure the system is up to date.

Once all your prerequisites have been satisfied, the installation of ACSIA can begin. If the requirements for the installation are not satisfied, the installation will fail, and you will be provided with an explanation of which prerequisites were not met.

Customers with a valid ACSIA license will receive an installation package from the 4Securitas Support team to download the main installation script acsia_prepare, and an additional file containing credentials, including the license.

Please strictly follow the instructions provided in this guide to install the ACSIA Server-client configuration.

3.2.1. Getting Started with the Installation of ACSIA Server

Login into the newly provisioned VM for the ACSIA server, switch to root user, copy the acsia_prepare and the credentials.txt that is being provided to you.

Execute the acsia_prepare as follows, make sure the script is executable using the command:

chmod +x acsia_prepare

and then executing:

./acsia_prepare

Follow the instructions provided on your screen, and when complete, execute the following:

./acsia_app/bin/acsia_install

If all preliminary requirements are satisfied as per the guidelines, the ACSIA server will be fully installed in about ~5-6 minutes.

In case of any issue, please refer to the Troubleshooting section in this guide, check our advanced troubleshooting guides in our Knowledge Base or contact our support team by raising a ticket from this portal. When requesting support, please provide as much information as possible (i.e. screenshots, logs, etc.); every detail will help us troubleshoot your incident faster.

At the end of the installation process, you should have on your terminal the credentials for the first admin user to login into web UI, something like the following:

ACSIA web and Dashboards
Admin interface: https://192.168.1.246:443
Username: admin@acsia.io
Password: kzuh21ybnsdy1=ui12b5!2iutRIf123kjojb

Once the server installation finishes, the client installation will continue in the background (the ACSIA server becomes the first client to be monitored). Please wait for the engine to initialize upon client install completion.

We strongly suggest changing the generated passwords with new ones as soon as possible and storing them properly.

To check the progress status for the initialization of ACSIA run:

acsia_tail_f

If you are receiving the error acsia_tail_f: command not found it means that you are not using the correct user so please run:

sudo su - acsia

This will change your account in the acsia one, allowing you to run all the necessary commands.

After the client's installation is completed, you should see the following message in acsia_tail_f:

2022-07-10 15:52:21.254 INFO 29440 --- [main] com.forsecuritas.AcsiaLauncher : *************** SPRING APPLICATION RUNNING *************************

The above message indicates that the engine is ready and up and running. Now you can log in to the web UI with the credentials provided and activate the license first thing as soon as logged in.

After the installation is completed, it is strictly necessary to have all ACSIA service commands available to log out from the running session and log back in again, so the environment variables can be all loaded.

4. ACSIA Service Commands

As mentioned above, all of ACSIA’s service commands, including the start/stop services as well as troubleshooting tips, can be found in the /acsia_app/bin folder in $ACSIA_HOME.

Below are some frequently used service commands.

Check if all of ACSIA services running:

acsia_stack_status

Start ACSIA all services:

acsia_stack_start

Stop ACSIA all services:

acsia_stack_stop

Start only ACSIA engine:

acsia_start

4.1. Full List of Service Commands

You can find all available service commands of ACSIA at /home/acsia/acsia_app/bin.

Below is the table containing all commands with their descriptions:

Command	Description
acsia_adapter_beanstalk.py	AWS Elasticbeanstalk adapter for ACSIA
acsia_adapter_ips.sh	IPS component adapter for AWS elasticbeanstalk
acsia_admin_check_requirements.sh	Check ACSIA prerequisites
acsia_admin_docker_subnet	Change docker subnet
acsia_admin_health.sh	Check ACSIA health status
acsia_admin_logs	Show ACSIA components logs
acsia_admin_query	Run MySQL DB query
acsia_admin_reset_password	Retrieve the ACSIA user credentials link to reset
acsia_admin_unlock_indices	Unlock indices if ACSIA disk is saturated due to out of space
acsia_ban_script	Ban an IP address
acsia_beanstalk_ban	Ban IP through AWS Elasticbeanstalk
acsia_beanstalk_find_banned_ip_rule	List or find banned IP addresses in AWS Elasticbeanstalk
acsia_beanstalk_manage_service	Manage services and configuration of ACSIA in AWS Elasticbeanstalk
acsia_beanstalk_unban	Remove the ban for an IP address in AWS Elasticbeanstalk
acsia_change_ip	Change ACSIA server IP address
acsia_deploy_ssl_certs	Install SSL/TLS certificate on ACSIA server if assigned subdomain
acsia_download	Download ACSIA package for the installation (deprecated in v4)
acsia_elastic_restart	Restart Elasticsearch
acsia_elastic_start	Start Elasticsearch
acsia_elastic_status	Check Elasticsearch status
acsia_elastic_stop	Stop Elasticsearch
acsia_elastic_tail_f	Check Elasticsearch logs
acsia_export_logs	Export ACSIA logs
acsia_fix_kernel_inspector_wrong_version	Fix kernel mismatch version
acsia_install	Install ACSIA
acsia_ip	Retrieve ACSIA server IP address
install_acm_app.sh	Install ACM module when it fails during client deployments
acsia_normal_ban	Ban an IP address
acsia_normal_manage_service	Configure and manage services
acsia_normal_unban	Unban an IP address
acsia_reconfigure_acm	Reconfigure ACM module for ACSIA client for specific IP
acsia_reconfigure_acm_all	Reconfigure the ACM module for ACSIA for all connected clients
acsia_report	Generate and export incident reports for ACSIA
acsia_restart	Restart ACSIA engine only
acsia_set_private_ip	Assign a private IP address to ACSIA server
acsia_stack_restart	Restart all stacks with all components including the engine
acsia_stack_start	Start all stack with all components including the engine
acsia_stack_status	Check status for all stacks with all components including the engine
acsia_stack_stop	Stop all stack with all components including the engine
acsia_start_bg	Start ACSIA in the background
acsia_status	Show ACSIA status
acsia_stop	Stop ACSIA engine only
acsia_tail_f	Show real-time ACSIA logs
acsia_unban_script	Unban an IP address
acsia_uninstall	Uninstall ACSIA
acsia_update	Update ACSIA
acsia_insert_admin_user	Add an admin user for ACSIA
install_falco	Install Falco kernel module
kibana_default_index	Reset to Kibana default indices
kibana_import_saved_objects	Import saved objects, customization on Kibana
mfa_acsia_install	Activate and enable 2FA/MFA
mfa_acsia_uninstall	Disable 2FA/MFA
mfa_ssh_install	Activate 2FA/MFA for SSH login as acsia user on server
mfa_ssh_qrcode	Generate or show SSH QR code for 2FA/MFA
mfa_ssh_uninstall	Disable SSH 2FA/MFA
setInternalIP	Set internal IP for ACSIA server
ssl_configuration	Check and configure SSL/TLS
winrm_remote	Check Ansible WinRM for Windows clients

The ACSIA XDR Plus product is a modular design built with multiple open-source tools. Several service scripts for each component will rarely be needed (unless you run into some issues). The service scripts shown above should suffice for most of you who would ever need to perform some troubleshooting on ACSIA.

5. Configuring and Enabling ACSIA to send Emails

For ACSIA to be able to send email notifications, including the email for the admin account setup, it requires the ability to communicate with your mail server. To do this, the emails originating from the ACSIA server must be white-listed on your mail server and spam filters (if you have one) etc.

If you do not white-list emails originating from the ACSIA server, it is likely that they will be bounced or placed into a spam folder (this is because the email originates from a server and not from a real email account), so if you do not receive emails try the following guidelines or check the troubleshooting section of this guide.

If the users are experiencing issues receiving their account creation emails, the admin can run the acsia_admin_reset_password command to retrieve the link to enable them to reset their credentials.

5.1. Set and Configure a real email account as a sender

It is possible to use a genuine email account (i.e. business email, private Gmail, Yahoo, etc.) and set it as sender to receive notifications via mail (this will avoid email notifications from ACSIA being bounced or placed in spam filters) without hassle.

To set and configure an email account on ACSIA, navigate to Settings→Email section and add your email account details.

6. Configuring SSL certificate for ACSIA Web Application

By default, ACSIA generates self-signed SSL certificates for secure browsing. The self-signed certs are configured using ACSIA IP addresses (external or local if provided). If you wish to configure ACSIA with a proper CA and have your own SSL certificate, you can do that either during the installation of ACSIA or at a later stage. ACSIA requires the certificate and the key to be provided in two files - the private key and the public certificate (both to be .pem formatted).

Deploy the cert during the installation: when installing ACSIA, using the acsia_install the script simply adds the extra command-line parameters such as: --certificate /path/to/cert.pem, --key /path/to/key.pem and --domain my.domain.com. All three must be present, or the installer will exit with an error.
Post-install deployment: a new script acsia_deploy_ssl_certs has been provided and accepts the same parameters as per the previous step --certificate, --key, and --domain. Once these have been deployed, you will need to execute acsia_stack_restart for all components to pick up these newly added certificates.

If you don't want to buy SSL certificates you can use Let's Encrypt with Certbot; however these instructions are not provided in this guide, so we advise you to check on the respective websites.

6.1. Amazon AWS Elastic Beanstalk Integration

ACSIA comes with the AWS Elastic Beanstalk Integration feature to monitor applications running within Elastic Beanstalk.

If you have applications running on Elasticbeanstalk and you want ACSIA to monitor and protect them, then run the following command in the terminal: acsia_adapter_beanstalk.py

You will be prompted to provide the following information from your AWS environment:

AWS Access Key ID (IAM User)
AWS Secret Access Key (IAM User secret)
Default region name (Region where Beanstalk is located)
Default output format: (can be JSON or text, but JSON is preferred)
ACL (Network access control list ID in Beanstalk VPC)

After the above deployment, you will be given an IP address (internal/private IP). The IP address can be retrieved later by running the command: acsia_adapter_ip.sh.

Login onto the ACSIA Web UI Console and add the Linux host using the IP address provided earlier (Getting Started->Start->Linux).

Please note that the deployment might end with some warnings and partial configuration. Do not panic; these warnings may not be severe, and the monitoring will generally function.

Make sure to include the acsia.config the file provided in your elasticbeanstalk application startup pack (Kickstarter package).

After completing all the above steps, login into a new terminal on the ACSIA server and restart ACSIA by running the acsia_restart command. This is to make sure ACSIA picks up all changes and configuration files.

7. Updating ACSIA

Updating ACSIA is reasonably easy and straightforward.

To update, all you need to do is to run the following command in the terminal as acsia user:

acsia_update

You will require your ACSIA username and passwords to get updates. These credentials are usually supplied within the same email where you receive your license instructions.

We recommend performing the ACSIA updates from the terminal instead of using the Web UI update feature. This provides greater clarity and control of the process with more granular error code information. Major releases of ACSIA will generally include core tool upgrades. We, therefore, recommend a full-stack stop and start when performing these upgrades. You can do this by running the command: acsia_stack_stop && acsia_stack_start

8. License Activation

After completing the installation, you should be able to access the ACSIA application via a web browser. The first action is to activate the license.

If you do not activate the license, you won’t be able to do anything as the application will function at minimum capacity or not at all. To activate the license, copy the license code provided and go to the user menu (top right) by clicking (it is either your email address or your name) on Settings from the menu and then select the License the tab where you can add/activate the license.

The license can be requested via the ticket form from our support portal https://support.4securitas.com or if you have issues accessing it, contact the support via email at support@acsia.io.

9. Authentication Methods used in ACSIA

ACSIA comes with multiple authentication mechanisms integrated.

ACSIA has traditional authentication methods such as username and password and multi-factor authentication (aka 2FA).

9.1. Two-Factor Authentication

ACSIA offers a 2FA method that can be implemented during and after installation for better security. The Two-Factor Authentication (2FA) is available for SSH and ACSIA Web UI logins.

The 2FA can be enabled for all users by navigating from Web UI to Settings→2FA.

As you can see from the image above, the loading time of the login page can take up to one minute, so please wait and don't refresh the page.

9.2. Enabling 2FA for SSH from the command line

If you wish to apply 2FA to the acsia user for SSH logins, you can do that during the installation prompts. The 2FA features can be enabled or disabled at any time through mfa_ssh_install and mfa_ssh_uninstall commands respectively. When enabled, the acsia system user will have a Time-based One-Time Password (TOTP) secret key generated. We recommend using 2FA token handler tools such as Google Authenticator or FreeOTP. If this feature is enabled, a QR code is printed on the screen during the installation.

When this is enabled, only key-based authentication (ssh-key) can be used for session authentication. Password + 2FA is not supported, as this causes unintended side effects.

After the installation is finished, or when executing mfa_ssh_qrcode, the QR code will be displayed on the terminal, and it can be scanned with your preferred 2FA token handler.

9.3. Enabling 2FA for ACSIA Web UI Login from the command line

Although the SSH 2FA can be optionally enabled or disabled, we strongly recommend that the 2FA is enabled for the UI, especially if ACSIA users are accessing the UI from the internet. If the 2FA is enabled for WebApp login, all users will be provided with a QR code (which should be scanned by, e.g. Google Authenticator, FreeOTP, etc.), and must present the TOTP key each time they log in to the application along with traditional access credentials such as username and password.

9.4. Access to OpenDashboard and Authentication

The OpenSearch visualizer OpenDashboard is part of the ACSIA stack. To access OpenDashboard applications and dashboards, password user and authentication are enabled. Users must present their ACSIA username/password whenever they attempt to view Dashboards. The username and password are automatically generated from ACSIA Web UI login credentials.

10. Preparing Your Servers to be Connected to ACSIA

ACSIA supports both Linux, Windows and MAC OS operating systems.

10.1. Preliminary Requirements

If you intend to monitor your systems without using ACSIA Agent (agentless mode), there are some preliminary requirements, such as a service user account with administrative privileges. This service user can be a local admin account, a Domain Controller (for Windows systems) or an LDAP account (for Linux systems). While if you are choosing the agent mode, running the agent on the end-point will suffice.

If your IT infrastructure is hosted on Google Cloud (Metadata Page), you can skip the following steps by adding ACSIA ssh-keys to your project from the Google console. AWS has a similar setup that can be done via OpsWorks.

10.2. Connecting a Linux Client

10.2.1. Requirements

Kernel 2.6 or later
Python 2.7 or later
User account acsia with Sudo privileges and passwordless (for agentless only)

10.2.2. Deploying ACSIA via an agent

For all Linux, Windows and MAC OS clients where you have chosen to install Client Agent, all you need to do is to navigate in ACSIA Web UI Hosts→Add Host, select the operating system, i.e. Linux, Windows or MAC, and choose Use The Agent where you can download it.

Please be aware that agents can be downloaded for a single client, meaning the same agent downloaded from UI cannot be used for a second host. For each host, you must download a new agent because each agent has its token (this is for security reasons). If you’d like to download an agent for multiple clients, then you can use Bulk Agent Deployment where you can select the number of clients, you wish to deploy the single agent.

Copy the downloaded agent to the client device for the installation and execute as root on Linux/MAC and Administrator on Windows using PowerShell. Make sure to add execution permission to Linux/MAC agent.

If all prerequisites are in place after installing the agent on your clients, you will see the clients automatically listed (populated) on ACSIA UI in the Hosts section.

Client agents connected to ACSIA server via an API, it doesn’t have user creations requirements or multiple ports to be opened on the firewall (all ports are consolidated into 2 ports which are 443 (TCP) and 444 (UDP/TCP) as per requirements when opting for agent).

ACSIA agents downloaded from UI have tokens that expire after seven days, and each download is valid for a single device (meaning for each device, you have to download a new agent or choose the bulk agent installation option if you wish to use a single download for multiple devices). If the agent provided to you is not working please make you generate a fresh agent because it is most likely a token expiration issue related.

10.2.3. Deploying ACSIA in agentless mode on Linux systems

If you wish to deploy ACSIA in your clients without an agent, the following steps are recommended depending on the distribution:

For CentOS / RHEL Linux

Creating ACSIA Service User on CentOS or RHEL systems

useradd -m -d /home/acsia -c "ACSIA Service User" -G wheel acsia

In the above command, we are creating an acsia user, providing a home directory, tagging with a name and assigning it to the “wheel” administrative group.

Followed by enabling Sudo passwordless permissions, which are done by editing /etc/sudoers file and removing the comment # from the following string:

%wheel ALL=(ALL:ALL) NOPASSWD:ALL

For Debian / Ubuntu Linux

Creating ACSIA Service User on Debian or Ubuntu systems

useradd -m -d /home/acsia -s /bin/bash -G sudo acsia

And then check-in /etc/sudoers and remove the comment # following string (add if you don’t have it):

%sudo ALL=(ALL:ALL) NOPASSWD:ALL

10.2.4. SSH Key

Once the service user creation is completed on your Linux servers, the next step is to get the ssh-key from ACSIA Web UI. To get the key, navigate to Hosts→Add Host the area, choose Linux and you will be able to see/copy the ssh-key.

Copy/export the ssh-key and import it into the ACSIA Service User-created (on each server) earlier, paying attention to steps concerning .ssh and authorized_keys file permissions.

A typical way to do that would be (as acsia user):

echo "paste here the key" > .ssh/authorized_keys
  
  chmod 700 .ssh && chmod 600 .ssh/authorized_keys

This ACSIA service user is used for 2 different purposes:

To deploy elastic stack shippers (filebeat, auditbeat, packetbeat), ossec/wazuh agent and falco kernel module.
To enable ACSIA automatically ban threats and attacks on the spot and perform remediation options actioned by the user.

Both above steps are performed via Ansible playbooks that are pushed from the ACSIA server onto clients automatically (this avoids the requirement to complete the installation on every single client manually).

The ssh-key we refer to is a 4096 bit randomly generated by ACSIA during the installation. This key can be replaced by your own keys, create a new one or replace it with any other keypairs (i.e. AWS EC2 keypair.pem). It is entirely at the user's discretion.

10.3. Connecting a Windows Client without Agent

To manage Windows servers in agentless mode, WinRM must be installed, running and listening on the Windows servers. The instructions below are examples provided by Ansible

10.3.1. Requirements

PowerShell 4.0+
Windows Server 2008 SP1+ (or Windows 7 SP1)
Local or domain acsia an account with administrative privileges or equivalent
WinRM service is active and running

10.3.2. Domain Controller - Active Directory (Agentless)

If your Windows systems are part of AD/DC, ACSIA has an integration feature for Domain Controllers. All you need to do is to run the following PowerShell script on the primary DC:

ForEach ($COMPUTER in (Get-ADComputer -Filter '*' | Select -ExpandProperty DNSHostName))
{
  if(!(Test-Connection -Cn $computer -BufferSize 16 -Count 1 -ea 0 -quiet))
    {
        write-host "cannot reach $computer" -f red
    }else {
        write-host "executing script on $computer" -f green Invoke-Command -ComputerName $computer -ScriptBlock {
            [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
            $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
            $file = "$env:temp\ConfigureRemotingForAnsible.ps1"
            (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
            powershell.exe -ExecutionPolicy ByPass -File $file
        }
    }
}

While executing the above script, if you discover that some of the DC clients are not reachable through DNS name, then simply replace DNSHostName them with Name.

Once the above script has successfully executed, go to ACSIA UI Getting Started session and add your domain controller were during the discovery step of the Domain Controller, an option called Add all "yourdomain.local servers" will appear.

Something like the following screenshot where acsia.local is your domain controller FQDN:

This will poll all registered clients on your Domain Controller and populate them on ACSIA UI to be deployed/monitored at once.

please ensure that you enter your domain controller in the format of username@fqdn, i.e. user1@acsia.io

10.3.3. Windows Client Not Connected to AD/DC (Agentless)

If your windows servers are not connected to any Domain Controller, the following script must be executed on windows clients to enable winRM service, which is used for Ansible

WinRM configuration script

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
$file = "$env:TEMP\ConfigureRemotingForAnsible.ps1"
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
powershell.exe -ExecutionPolicy ByPass -File $file

please ensure the URL is not split during copy/paste operation.

10.3.4. Connecting PCs and Workstations to ACSIA (Agentless)

PCs and Workstations can also be connected and monitored by ACSIA following the instructions above. Please note that endpoints (such as PCs and Workstations) behind domestic routers will require NATting enabled on port 5986 for the endpoint intended to connect to ACSIA (Installation via the agent is the recommended way for scenarios like this one)

Please upgrade your Powershell version if the version is < 4, and ensure that the Windows firewall is active.

10.4. Adding Hosts via ACSIA Web UI (agentless mode only)

Login into the ACSIA Web UI and click on Add Host in the menu on the left sidebar, the Hosts page. Select the operating system of the client you wish to connect and you will be forwarded to the next window where you may add hosts on an IP or Hostname basis, using a CSV file (explained better below) or via the agent (by downloading the agent). It is best practice to use IP addresses to add your server as the remaining details of hosts including the hostname will be automatically retrieved and placed by ACSIA.

After completing the Hosts Setup next step is the Logs Configuration screen, where you can add your custom web server or web application logs (always use the absolute path of the logs). The next step is the validation of the logs entered, if any are non-existent this will be highlighted so that you can correct or remove if it was a mistake or a typo and so on.

the paths must be to the log files themselves; symlinks to files are unsupported.

For instance, if you have a web application running on Nginx Web Server (likewise with Apache) you will need to add your Nginx logs manually during client deployment (can be done even later using the edit option) i.e. /var/log/nginx/access.log.

The web application logs are typically detected automatically by ACSIA. But if they’ve not been detected for some reason, the recommended action is to add them manually by using the Edit Host Details where the hosts are listed (in the Hosts page).

Once the configuration of all the log files has been completed, there will be a Summary shown on the next screen to make sure that you have everything entered followed by Deploy where you actually start to deploy ACSIA and connect to your servers. This will take a few minutes (depending on your network connection between clients and server) and you will be eventually shown a dialogue message that reports the completion of the enrollment procedure.

10.4.1. CSV File format

ACSIA offers the option to use a CSV file containing details of all of your server details where you can just import the CSV file.

The following screenshot provides the format of the CSV file for ACSIA:

If you have multiple logs for a single host you can separate each log by semicolon ;.

Once deployment of a client is completed, your servers are set to be constantly monitored in real-time for security issues, threats and anomalies.

10.4.2. Container-specific details

ACSIA is container-aware, and will automatically track kernel events within containers. However, if you are running application/webservers within containers, and wish for these logs to be monitored, they must be made available to the host. ACSIA does not support symlinks to log files - it must be the full path to the given log file.

Linux container logs can be presented to ACSIA by using docker options --volume or --mount. As per official docker documentation here. or here if you are using docker-compose.

11. User Administration

The user administration section can be found at the top right bar by clicking on the username with which you have logged in and then Settings.

11.1. Adding a New User to ACSIA Web UI

Adding a user has never been simpler. Just click username on the top right bar and select Settings from the menu.

Then click on "ADD USER" and fill in all the fields, you can also Delete or Edit Users in this Section. Please keep in mind that the actual username has to be an email address.

11.2. Distribution Lists

ACSIA enables you to create distribution lists where you can add members to each group and set the notification types to be sent to each distribution list. For instance, you can set a distribution list to receive only Critical or High or Medium/Low priority security alerts. Your C-Level management may not want to receive alerts outside Critical events and therefore a distribution list can be created to satisfy this requirement.

You will find the Distribution List on the left sidebar menu. To create a new distribution list just click "ADD NEW LIST".

gif dist.gif

Give a name to the Distribution List created and select the members by adding them to the list along with choosing the type of event (Critical, High or Medium/Low) that you wish the group should receive.

You are now all set to receive notifications through the distribution list.

11.3. Email Settings

The email settings relate to ACSIA server-side notifications via emails. This setting can be found at the top right under the Settings menu Email tab.

Here you can set the sender email and the name for it. For instance, if your organization's domain is called example.com you can set the email as no-reply@example.com and the name as Acsia Alerts and white list that accounts on your anti-spam filters to make sure you receive notifications from that email account.

As soon as you set this up you will start receiving notification emails as per the setup.

If you experience issues in receiving email the recommended action is to set up an actual real email account and configure Under the email notification, instead of setting a simple email and label, you can enable the SMTP and the Authentication methods where you can fill in the details of the email you wish to use as sender.

11.4. Receiving notifications via Slack and/or Microsoft Teams

Similar to the email notification, you can also activate notifications to be received through Slack and/or Microsoft Teams. You can enable this in Settings section under integration where you can simply copy the desired webhook (Microsoft Teams or Slack) and activate it to receive notifications via real-time messaging.

11.4.1. Slack setup instructions (Microsoft Teams is pretty much the same)

Install incoming webhook on your Slack

Go to Apps
Go to View App directory
Search for incoming-webhook
Go to Add Configuration
At Post to Channel: choose the channel/group where to send the notification
Click Add Incoming WebHooks Integration
Go to Customize Name: Add name i.e. ACSIA Notifier
Copy the WebHook URL

Configure on ACSIA UI

Access to Web UI
Go to Settings -> Integration
Activate Slack or Microsoft Teams
Paste the URL copied

11.5. Kernel Level Notifications

With the kernel level monitoring, once enabled, ACSIA has the ability to intercept the stream of every system call made to the kernel by intercepting the `syscalls and searching for anomalies/threats in real-time (this is for Linux systems only).

If you’d like to receive kernel-level notification it is recommended to keep this feature enabled. It can be disabled at any time for those who wish to do so by navigating to Setting and click on Notification tab.

11.6. Enabling Automatic Ban

If you’d like ACSIA to handle the majority of threats originating from outside your organisation (i.e. attacks originating from the internet such as BotNet, Bruteforce, Dictionary, SQL injections, XSS attacks etc) then this feature must be enabled.

If enabled, ACSIA will automatically take remediation actions such as banning IP addresses on the spot. You can enable Automatic Ban by navigating in the Settings area and click on the tab Notification.

11.7. Enabling Manual Ban for Local/Private IP Addresses

ACSIA by default cannot ban local IP addresses, this is to avoid any business interruption or similar incidents that will impact business. However, if you’d like to be able to ban local IP addresses you can do this by enabling this feature under the Settings→Notification tab.

11.8. Log Retention

ACSIA stores all incoming logs from servers between OpenSearch and MySQL databases. The lifespan (retention period) of the logs can be configured by navigating to Settings and clicking on Log Retention tab.

ACSIA enables users to set the different retention periods for a different types of logs (which are listed below):

11.8.1. Access Logs

These logs include all system logs and event logs.

11.8.2. Web Logs

Web logs are the web applications logs (i.e. apache, Nginx, tomcat, IIS, etc.)

11.8.3. Audit Logs

These are very commonly known Linux audit logs.

11.8.4. Network Log

These logs are the network traffic captured at the server level (inbound and outbound).

11.8.5. ACM Logs

ACM stand for Advanced Compliance Mitigation and therefore these are compliance-related logs (system, application, security events, etc)

12. Main Dashboard

ACSIA XDR Plus as of v5.0 now has a Main Dashborad in its new interface. On this dashboard, data can be actively examined with numerical, graphical and mapping visuals. At first glance, Data related to the last 10 days is presented. You can filter these data according to a certain time period with the filtering tool in the upper left corner.

In general, the following numerical data are shown on the board;

Critical Alert
High Alert
Medium Alert
Low Alert
Attack Blocked
Bad IP Blocked

Graphically displayed data;

Attack Trends Line Graph
Top 10 Offenders Set Graph
Blocked hosts (Prisma) Set Graph
Attack by category Set Graph
Top 10 attacked hosts Bar Graph
Top 10 authorization access Bar Graph
Top 10 authorization failure Bar Graph
Top 10 destinations Bar Graph

Geolocalized attack trends in the last 10 days are shown on the world map.

13. Host List Section

Hosts list page shows the inventory of all devices connected to ACSIA in a tablet mode and details of each table cell are briefly listed below:

Host Alias: where you can assign an alias to recognize better your host
Hostname: this value is retrieved automatically from the host but the user can change the name
Host IP: the IP address through which the client is connected
Operating System: indicates what operating system the client has
Status: contains the list and the status of all shippers that streaming the client logs to the ACSIA server
Actions: this area has 3 actionable sub-sections:
View Details: show the details about the host i.e. operating system, kernel, IP address, monitored logs and more
Edit Host Details: it is the area where the user can edit host details such as adding an alias, changing the hostname, the IP address, adding custom logs to be monitored and starting/stopping log shippers (streamers) manually etc.
Remove Host: where you can remove the connected host

IMG_20220824_235314 (1).jpg

14. Events Section

14.1. Live Notifications

On the left side menu, we also have Live Notifications which contain a list of all live events that are not being actioned yet. All incoming security alerts will be listed in this section and by clicking on the Details arrow on each notification in this area you will be able to browse and explore the full details of a single incident/alert generated by ACSIA.

We also have filters where the events can be filtered and searched criteria based etc.

14.2. Live Notification Sidebar

We have a Live Events sidebar on the right side of the screen. This sidebar is similar to Live Notifications with an exception of being static and permanently on the right side, this is useful when monitoring events while navigating through ACSIA’s functionalities.

Each event is shown with a short brief description along Immediate Actions to enable the user to action and remediate an incoming security event or incident on spot.

15. Insights

The Insights the area can be found on the left-hand sidebar menu. This section contains multiple dashboards that ACSIA offers for deep investigations of events or even for generating reports and analytics. Each dashboard is visualized using OpenDashboard a web application offered by OpenSearch Stack. OpenSearch Dashboard is integrated in OpenSearch, you can find something here: Opensearch

Each dashboard is self-described as you will find it under Insights area.

15.1. Compliance

The Compliance the area contains primarily dashboards/reports relating to compliance and regulatory frameworks listed briefly below:

Security Information Management
Security events report
Integrity monitoring report
Threat Detection and Response
Vulnerabilities report
Mitre Att&ck
Auditing and Policy Monitoring
Policy monitoring dashboard
System auditing dashboard
Regulatory Compliance
GDPR
PCI DSS
HIPAA
NIST 800-53
TSC

Security and information management provides visibility and reporting about security events and includes file integrity monitoring. Threat detection and response provides reports on discovered vulnerabilities for connected systems.

Auditing and policy monitoring provides full visibility of audit controls and standard policy requirements.

Regulatory compliance dashboards cover global regulatory regimes from GDPR, PCI DSS, NIST 800-53, HIPAA, TSC and Mitre Att&ck framework. ACSIA provides full control and visibility in real-time on compliance of IT systems, and if the systems are not compliant, it provides the exact failing point so it can be easily addressed.

16. Policies

ACSIA‘s Policies provides an inventory of what is allowed and not allowed on monitored clients. When ACSIA blocks traffic it utilizes individual clients' local firewalls (Windows firewall and routing table on Linux systems etc). The Policies section is divided into 4 subsections as follows:

IP Blacklist
IP Whitelist
Locked Users
Access Location
Muted Notifications

16.1. IP Blacklist

The IP Blacklist contains all those source IP addresses that have been marked as malicious and unauthorized and therefore blacklisted (banned by hosts). You can undo an action if an IP address is mistakenly banned by a user. If the autoban feature is enabled, ACSIA will automatically handle all potential attacks and threats originating from outside of the organization (from the internet for example) whereas internal threats will always be notified for the ACSIA administrator to make the final decision.

16.2. IP Whitelist

The IP Whitelist contains all those source IP addresses that have been marked as trusted. Note that whitelisting an IP address does not include web requests due to giving sensitivity to web application level accesses. Therefore when you white list an IP address that doesn’t apply to web requests and if traffic originating from that specific IP address identifies a potential threat it will be subject to notification and alert.

16.3. Locked Users

The Locked Users contains specific users that are marked to be locked. They can be legitimate users who attempt to gain access to non-authorized areas. Alternatively, they may be malicious users that have compromised the legitimate account details of a user and therefore been locked. ACSIA does not automatically block legitimate users, it always requires user input so it will be at the ACSIA administrator’s discretion to make that call.

16.4. Access Location

The Access Location refers to those security events where legitimate access originates from a geographical location or an IP address that wasn’t authorized on ACSIA. Therefore waiting for approval, to be authorized or unauthorized. If you authorize a location-based IP address for a user it is like whitelisting that user only for that IP address. On the other hand, if you mark a user unauthorized, that user will still be able to access and make attempts but you will be notified every time. So the Access Location is different from blacklisting an IP unless you add the IP manually to the blacklist.

16.5. Muted Notifications

The Muted Notifications refers to those security events that have been acknowledged legitimately by ACSIA administrators and/or security analysts. Once an incident is marked to be muted ACSIA will no longer notify that type of incident. All muted events can be unmuted at any time.

17. Immediate Actions - Remediation options

It is highly likely that the Immediate Actions are going to be the most frequently used features of ACSIA by its users. You will often find these actions embedded in all incoming security events or email notifications. From there you can take immediate action and interactively mitigate the event for its remediation.

This is the Interactive feature of ACSIA where the user input is required for the remediation of events and threats:

The order of Immediate Actions (sometimes referred to as Remediation Options), supplied with the notifications dynamically changes based on the severity level of the event and the type of event. For instance, if there is a potential account compromise alert, the order of remediation action will be set on priority where the option appearing on the top will be the most logical choice followed by the second in the list and so on. ACSIA users will benefit greatly from this feature even if they don’t have cybersecurity knowledge or have limited technical skills.

17.1. Immediate Actions or Remediation Options offered by ACSIA:

17.1.1. Kill this connection

By choosing this action the ACSIA user will be killing network traffic (in real-time) for that malicious IP address and suspending all traffic for that IP address for the next 15 minutes. Any established connection and new connection requests will be killed while attempting to broadcast.

17.1.2. Acknowledge and Authorize User/Location

By choosing this action you authorize that specific user and the associated IP address on a permanent basis to access your premises. That IP address will be whitelisted for ACSIA and therefore you will no longer receive an alert originating from that IP address associated with its user.

17.1.3. Mark This User/Location as Unauthorized

By choosing this action you ask ACSIA to keep notifying users about this event until you make a decision. Use this for incidents where you have not yet decided to ban or authorize access made from an IP address.

17.1.4. Ban This IP

By choosing this action you permanently ban the IP address and therefore it will no longer be able to reach out to your systems.

17.1.5. Lock User

By choosing this action you lock the user account within your systems.

17.1.6. Track This IP

This action will take you to OpenDashboard application Dashboard where all network and server activity of that specific IP address will be populated to give full visibility of what’s happening.

17.1.7. Track This User

This action will take you to OpenDashboard application Dashboard where all network and server activity will be populated for that specific user by enabling you to establish the legitimacy of the user activity.

17.1.8. Whois Query

This is a domain name lookup service to search the whois database for domain and IP registration information. It gives relevant information about the ownership of the originating IP address of the malicious user.

17.1.9. View Details

This provides accurate details of the event, including the geographical location of the originating IP address and the geographical coordinates.

17.1.10. Close Incident

This is to simply disregard the event and if it reoccurs ACSIA will notify again.

17.1.11. Mute Notification

This action is to tell ACSIA to disregard and no longer notify when that specific event reoccurs.

17.1.12. Track Command Session - Only for Linux clients

This is an extremely powerful feature within ACSIA that is enabled by our Kernel level monitoring. From the moment that suspicious activity has been detected or a user has attempted to read or write to sensitive data or files, the alert will be triggered and real-time remediation actions provided. When you click on this Track Command Session you will be presented not only with that specific user activity that triggered the alert, but the entire session of the user in replay mode. This forensic level of detail will allow you to view the full activity performed by the user and therefore have an understanding of why that user tried to alter the sensitive files and data and make a remediation action swiftly.

18. Audit Logs

Audit Logs is the section where you can find all events that have been actioned or amended and by whom (ACSIA users, who did what on web UI).

19. Email Notification

An example of email and Slack notification is shown below:

As we can see in the above screenshot, we have received a notification about successful access using acsia user targeting our pre-production server. Now, we know that a legitimate user is logged in but ACSIA has rightfully notified this is a potential account compromise.

This user and location will become legitimate for ACSIA only if we authorize the user with the associated location as legitimate. ACSIA users are to train the ACSIA machine learning module when it comes to legitimate accesses like this one. This is where mostly the user input will be requested by ACSIA. Therefore ACSIA users will need to indicate for the first time, using, that this user is authorized and legitimate. From that moment onward ACSIA will know about that pattern and will no longer notify (unless the account is really compromised).

For any further information and queries please get in touch with our support team by contacting us via our support portal (https://support.4securitas.com).

ACSIA is a product of 4Securitas Ltd.

ACSIA Help Center

Search