ACSIA Help Center

ACSIA XDR Plus Installation and User Administration Guide - v6.x.x

Nadia Riccardi
Nadia Riccardi
  • Updated

 This guide applies only to ACSIA XDR Plus version 6.0.0.

 

1. Preface

This guide will walk you through the prerequisites to install ACSIA, product installation and configuration details, administration, troubleshooting deployment and Frequently Asked Questions.

 


 

2. What is ACSIA XDR Plus?

ACSIA is an Automated Cyber Security Intelligence Application which enables organizations to protect themselves against malicious attacks and unauthorized entities targeting their data.

 


3. Installation and Configuration

Like any other software application, ACSIA needs some prerequisites to be performed before installation can begin.

 

3.1. Prerequisites

3.1.1. Minimum Requirements

The ACSIA Server platform requires the following minimum specs:

  • The server can be deployed in a physical or virtual environment 
  • In the case of a virtual environment, the server will need a Virtual Machine, and it can run on every hypervisor of choice (VMWare, HyperV, VirtualBox, Proxmox, etc...) but not on containers (Docker, Kubernetes, LXD, LXC, Vagrant, etc...)
  • Ubuntu 20.04 LTS must be used

  • 16 GB RAM (on virtual environments, they must be dedicated)

  • 8 vCPU

  • 200 GB Storage SSD (as a minimum depending on retention policy)

  • Network connectivity is required (to download and install the server, receive our threat intelligence feeds, connect with the clients, upgrade the system and verify the license)
  • Partitioning: There is no specific partitioning required for ACSIA VM; however, when ACSIA is hosted on-prem (outside cloud platforms), it is strongly recommended to set up an LVM (Logical Volume Manager) partition so the storage can be easily extended

The specification above would support a typical standard workload of 100+ monitored hosts. ACSIA scales relatively linearly, so additional resources will support larger client environments.

To perform the installation full internet connectivity is required. Once the installation is completed, only the following ports need to remain open for the following domains.

 

Source Destination Protocol Port Note
ACSIA Server wimi.xdrplus.com TCP 443 Public IP and Latest Release
ACSIA Server license.acsia.io TCP 5150 License Activation (TLS Enabled)
ACSIA Server nexus.acsia.io TCP 443 Download Updates


The domains and ports listed above should remain open at all times for private and public keypair verification for the license, although ACSIA allows up to 48 hours of connection loss before it enters an unlicensed state. The only exception to this requirement is where ACSIA is deployed from Amazon AWS Marketplace.

ACSIA Client (with the agent) requires the following minimum specs:

  • The agent can be deployed on every supported OS type. We do strongly recommend only using operating systems that are still supported by their respective vendors.
  • Currently, we don't have any minimum requirements for CPU and RAM because our agents are extremely lightweight in terms of hardware consumption. We suggest performing the installation on a machine with at least 2GB of free space.
  • Network connectivity toward ACSIA Server (as specified in the following section)
  •  

 

3.1.2. Web UI Network ports

To access ACSIA’s Web UI, you will need to open the following ports between your workstation (Laptop/Desktop/PC) and the ACSIA server:

 

Source Destination Protocol Port Note
Any PC that manages ACSIA ACSIA Server's IP TCP 443 Used for HTTPS
ACSIA Server's IP license.acsia.io TCP 5150 License Activation

 

3.1.3. ACSIA client-server ports using Agent installation

If you choose to deploy the ACSIA agent on the clients (servers or workstations), the only requirement for the agent to be able to communicate with the ACSIA server is the TCP port 443 (HTTPS) and 444 (TCP/UDP). If these ports are not open, please make sure to have them opened. 

 

Source Destination Protocol Port Note
Any host with the ACSIA Agent ACSIA Server's IP TCP 443 Used for Connections
Any host with the ACSIA Agent ACSIA Server's IP TCP & UDP 444 Used for Pulls
Any host with the ACSIA Agent wimi.xdrplus.com TCP 443 Used to pull the IP

 

3.1.4. ACSIA Proxy configuration - Only if you have Proxy

If you have a proxy server in your environment, please apply the following instructions.


3.1.4.1. Setting Up Permanent Proxy for All Users

To permanently set up proxy access for all users, you have to edit the /etc/environment file.

 

Step 1 - First, open the file in a text editor:

sudo nano /etc/environment

Step 2 - Next, add the following information to the file:

export HTTP_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export HTTPS_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export FTP_PROXY="[username]:[password]@ [proxy-web-or-IP-address]:[port-number]"
...
export NO_PROXY="localhost,127.0.0.1,::1"

Step 3 - update the .bashrc file with the same information as below:

export HTTP_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export HTTPS_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export FTP_PROXY="[username]:[password]@ [proxy-web-or-IP-address]:[port-number]"
...
export NO_PROXY="localhost,127.0.0.1,::1"

 

3.1.4.2. Setting Up Proxy for APT

On some systems, the apt command-line utility needs a separate proxy configuration because it does not use system environment variables.

Step 1 - To define proxy settings for apt, create or edit (if it already exists) a file named apt.conf in /etc/apt directory:

sudo nano /etc/apt/apt.conf 

Step 2 - Add the following lines to the file:

Acquire::http::Proxy "http://[username]:[password]@ [proxy-web-or-IP-address]:[port-number]";
Acquire::https::Proxy "http://[username]:[password]@ [proxy-web-or-IP-address]:[port-number]";

Step 3 - Save the file and exit. The configuration will be applied after a reboot.

 

The option NO_PROXY, in addition to what is specified above as parameters, you will need to add your internal networks and subnets where the monitored devices are located (your servers or PCs network). Otherwise, you will have connectivity issues between ACSIA and those networks when you try to add them to the services to be monitored by ACSIA. This is because the proxy will be unlikely to be able to reach out to those networks.

 

Any changes affecting the above variables must be notified to ACSIA via configureHttpProxy command followed by acsia_restart (this is for when the ACSIA installation is completed).

 

3.2. ACSIA Server installation

Prepare a Linux VM (i.e. Ubuntu 20.04 is currently supported, please check release notes for ACSIA) to host the ACSIA server and ensure the system is up to date.

In order to install ACSIA some prerequisites need to be satisfied. You can execute our ARM script to make sure that alle the prerequisites are in place. You'll find more information in our article: Pre-ACSIA Installation Minimum Requirements Check with AMR.

Once all your prerequisites have been satisfied, the installation of ACSIA can begin. If the requirements for the installation are not satisfied, the installation will fail, and you will be provided with an explanation of which prerequisites were not met.

 

Customers with a valid ACSIA license will receive an installation package from the 4Securitas Support team to download the main installation script acsia_prepare, and an additional file containing credentials, including the license.

 

Please, make sure that the acsia_prepare.sh script you use is the one provided in this article. Any previous versions of this file are unsupported.

 

Please follow the step-by-step instructions provided in this guide to install the ACSIA Server-client configuration.

 

3.2.1. Getting Started with the Installation of ACSIA Server

Login into the newly provisioned VM for the ACSIA server, switch to root user, copy the and the acsia_prepare.sh and credentials.txt that we provided to you.
Execute the acsia_prepare.sh as follows, make sure the script is executable using the command:
chmod +x acsia_prepare.sh
and then executing: 
./acsia_prepare.sh

 

Follow the instructions provided on your screen, and when complete, execute the following:

./acsia_app/bin/acsia_install

 

If all preliminary requirements are met according to the guidelines, the ACSIA server will be fully installed in about ~5-6 minutes.

In case of any issue, please look at the Troubleshooting section in this guide, check our advanced troubleshooting guides in our Knowledge Base, or contact our support team by raising a ticket from this portal. When you request support, please provide as much information as possible (i.e. screenshots, logs, etc.); every detail will help us troubleshoot your incident faster.

At the end of the installation process, you should have on your terminal the credentials for the first admin user to login into web UI, something like the following:

ACSIA web and Dashboards
Admin interface: https://192.168.1.246:443
Username: admin@acsia.io
Password: kzuh21ybnsdy1=ui12b5!2iutRIf123kjojb

Once the server installation finishes, the client installation will continue in the background (the ACSIA server becomes the first client to be monitored). Please wait for the engine to initialize upon client install completion.

We strongly suggest that you change the generated passwords with new ones as soon as possible and store them properly.

At this point, you need to log out of the acsia account and log back in again to enable environment variables and have all ACSIA service commands available.

To check the progress status for the initialization of the ACSIA run:

acsia_tail_f

If you are receiving the error acsia_tail_f: command not found it means that you are not using the correct user, so please run the following:

sudo su - acsia

This will change your account in the acsia one, allowing you to run all the necessary commands.

 

After the client's installation is completed, you should see the following message in acsia_tail_f:

2022-07-10 15:52:21.254 INFO 29440 --- [main] com.forsecuritas.AcsiaLauncher : *************** SPRING APPLICATION RUNNING *************************

The above message indicates that the engine is ready and up and running. Now you can log in to the web UI with the credentials provided and activate the license first thing as soon as logged in.

acsia-tail-f.gif

To do so, you'll need to go to Settings > License > Insert Activation Code. Then you'll need to change the admin user right away. You must create a new user (put your own e-mail and give admin permission), and create a new password (directly in the UI). Now log out, log back in with the new user created, and delete the admin user already present in the UI. 

After the installation is completed, it is strictly necessary to have all ACSIA service commands available to log out from the running session and log back in again, so the environment variables can be all loaded.

 


 

4. ACSIA Service Commands

As mentioned above, all of ACSIA’s service commands, including the start/stop services as well as troubleshooting tips, can be found in the /acsia_app/bin folder in $ACSIA_HOME.

Below are some frequently used service commands. 

Check if all of ACSIA services are running:
acsia_stack_status
 
Start ACSIA all services:
acsia_stack_start
 
Stop ACSIA all services:
acsia_stack_stop
 
Start only ACSIA engine:
acsia_start

Restart ACSIA engine and services:
acsia_stack_restart


Restart ACSIA engine:
acsia_restart

 

 

5. Configuring SSL certificate for ACSIA Web Application

By default, ACSIA generates self-signed SSL certificates for secure browsing. The self-signed certs are configured using ACSIA IP addresses (external or local if provided). If you wish to configure ACSIA with a proper CA and have your own SSL certificate, you can do that either during the installation of ACSIA or at a later stage. ACSIA requires the certificate and the key to be provided in two files - the private key and the public certificate (both to be .pem formatted).

  1. Deploy the cert during the installation: when installing ACSIA, using the acsia_install the script simply adds the extra command-line parameters such as: --certificate /path/to/cert.pem--key /path/to/key.pem and --domain my.domain.com. All three must be present, or the installer will exit with an error.
  2. Post-install deployment: a new script acsia_deploy_ssl_certs has been provided and accepts the same parameters as per the previous step --certificate--key, and --domain. Once these have been deployed, you will need to execute acsia_stack_restart for all components to pick up these newly added certificates.

If you don't want to buy SSL certificates, you can use Let's Encrypt with Certbot; however, these instructions are not provided in this guide as they are subject to change, so we advise you to check on the respective websites.

 


 

6. Updating ACSIA

Updating ACSIA is reasonably easy and straightforward.

To update, all you need to do is to run the following command on the command line as acsia user:

acsia_update

 

This command is only valid to update from version 5 until 5.9.9. To update to version 6.0.0. you need to run the pre-update script provided in our Release Note v6.x.x.


You will require your ACSIA username and password to get updates. These credentials are usually supplied within the same email where you receive your license instructions.

Major releases of ACSIA will generally include core tool upgrades. We, therefore, recommend a full-stack stop-and-start when performing these upgrades. You can do this by running the command:  acsia_stack_stop && acsia_stack_start

 


 

7. Access to OpenDashboard

The OpenSearch visualizer OpenDashboard is part of the ACSIA stack. To access OpenDashboard applications and dashboards, password user and authentication are needed. Users must present their ACSIA username/password whenever they attempt to view the Dashboards. The username and password are automatically generated from ACSIA Web UI login credentials.

 


 

8. Preparing Your Servers to be Connected to ACSIA

ACSIA supports both Linux, Windows and MAC OS operating systems.

8.1. Preliminary Requirements

If your IT infrastructure is hosted on Google Cloud (Metadata Page), you can skip the following steps by adding ACSIA ssh-keys to your project from the Google console. AWS has a similar setup that can be done via OpsWorks.

8.2. Deploying ACSIA via an agent

For all Linux, Windows, and MAC OS Client Agent, all you need to do is to navigate in ACSIA Web UI Hosts→Add Host, select the operating system, i.e. Linux, Windows, or MAC, and download it. 

Please be aware that agents will not be related to a single client, meaning the same agent downloaded from UI can be used for multiple hosts. The agent will last seven days from the download. After these days have passed, you will have to download it again. 

8.2.1. Connecting a Linux/Mac Client

Requirements

  • Kernel 2.6 or later

  • Python 2.7 or later

  • User account acsia with Sudo privileges

 

linux_agent.gif

 

Copy the downloaded agent to the client device for the installation and execute as root on Linux/MAC. 

To install the client the procedure should be the following:

  • Download a .txt file (Acsia-Linux-Agent.txt or Acsia-Mac-Agent.txt) from the UI.
    You can do so by clicking "Add Host +" and then “Linux”/"Mac".

  • Create in the shell the Acsia-Linux-Agent.txt/Acsia-Mac-Agent.txt file (with nano or vim), make it executable with this command:
    chmod +x Acsia-Linux-Agent.txt 
    or
    chmod +x Acsia-Mac-Agent.txt 
    And run it:
    sudo ./Acsia-Linux-Agent.txt 
    or
    sudo ./Acsia-Mac-Agent.txt

8.2.2. Connecting a Windows Client

To download a Windows client, follow the same procedure as Linux, but select “Add Windows”.

windows_agent2.gif


Connect to an RDP instance machine, search “Windows Powershell ISE” but BEFORE opening it, right click on it and select “Run as an administrator”.
Press CTRL + R, paste the content of the Agent inside the space that just opened and then click on the green icon “Run script”.

Wait until the installation has finished and you’ll receive the output showing the successful installation.

 

8.2.3. Check the Hosts installed

After installing the agent on your clients, you will see the clients automatically listed (populated) on ACSIA UI in the Hosts section if all prerequisites are in place.

Client agents are connected to the ACSIA server via an API, (all ports are consolidated into two ports which are 443 (TCP) and 444 (UDP/TCP) as per requirements.

ACSIA agents downloaded from UI have tokens that expire after seven days, and each download is valid for multiple devices. If the agent provided to you is not working, please generate a fresh agent because it is most likely a token expiration issue related. 

 

 


 

9. User Administration

The user administration section can be found at the bottom of the page, on the left, by clicking on Settings.

 

9.1. Preferences

9.1.1 Automatic Ban

If you’d like ACSIA to handle the majority of threats originating from outside your organization (i.e. attacks originating from the internet such as BotNet, Bruteforce, Dictionary, SQL injections, XSS attacks, etc), then this feature must be enabled.

If enabled, ACSIA will automatically take remediation actions, such as banning IP addresses in real time. You can enable Automatic Ban by navigating to the Settings area and clicking on the tab Preferences.

9.1.2 Private IP Ban

ACSIA, by default, does not ban local IP addresses; this is to avoid any business interruption or similar incidents that will impact business. However, if you want to ban local IP addresses, you can enable this feature under the Settings > Preferences tab.

9.1.3 Sysmon

This new feature, if enabled, will automatically block portable executables files (PE) from being written on the disk (for Windows clients and servers only). 

automaticban2.gif

  

9.2. Notifications

9.2.1 Legitimate User Access

This functionality, if enabled, allows you to be notified every time a legitimate user is accessing the system.

9.2.2 Kernel Notifications

With the kernel level monitoring, once enabled, ACSIA will intercept the stream of every system call made to the kernel by intercepting the syscalls and searching for anomalies/threats in real-time (this is for Linux systems only).

If you’d like to receive kernel-level notification, it is recommended to keep this feature enabled. It can be disabled at any time for those who wish to do so by navigating to Settings and clicking on the Notifications tab.

kernel.png

9.3 Integrations

ACSIA has a growing list of 3rd party integrations available; please check the ACSIA XDR Plus Integrations Guide - v6.x.xf or more information.

9.4 DNS Shield and DNSSEC

9.4.1 DNS Shield

DNS Shield: This functionality, if enabled, blocks user connections containing malicious domains. When a user receives an e-mail and clicks on the IP/attachment, if it is recognized by ACSIA as malicious, a courtesy page will appear instead of the link. 
This page informs the user that it is malware and has proactively blocked access.

This feature is currently not supported on MacOS.

 

9.4.2 DNSSEC 

DNSSEC authenticates responses to domain name lookups. Connections to websites that do not use the DNSSEC functionality will be blocked.

dnsshield.png


9.5. Log Retention

ACSIA stores all incoming logs from servers between OpenSearch and MySQL databases. The lifespan (retention period) of the logs can be configured by navigating to Settings and clicking on the Log Retention tab.

 

logretention.png

 

ACSIA enables users to set the different retention periods for different types of log files (which are listed below):

  • Access Logs: These logs include all system logs and event logs
  • Web Logs: Web logs are the web applications logs (i.e. apache, Nginx, tomcat, IIS, etc.)
  • Audit Logs: These are very commonly known Linux audit logs.
  • Network Log: These logs are the network traffic captured at the server level (inbound and outbound).
  • ACM Logs: ACM stands for Advanced Compliance Mitigation and therefore these are compliance-related logs (system, application, security events, etc)

 

9.6. License

After completing the installation, you can access the ACSIA application via a web browser. The first action is to activate the license.

If you do not activate the license, you won’t be able to do anything, as the application will not function. To activate the license, copy the license code provided and go to Settings from the menu and then select the License tab where you can add/activate the license.

Here you will see all the information about your license: expiring date, client hosts on the instance, active instances. By clicking "Deactivate" you can deactivate your license.

 

license2.gif

 

The license can be requested via ticket from our support portal https://support.4securitas.com or if you have issues accessing it, contact the support via email at support@acsia.io.

 

9.7. Users

Adding a user has never been simpler. Just click on Settings from the menu and then Users.

Then click on "ADD USER" and fill in all the fields, you can also Delete or Edit Users in this Section. Please keep in mind that the actual username must be an email address.

The password can also be changed directly from the Web UI, modify the User, send the Password Reset email and delete the User. 

adduser3.gif

 

9.8. Email 

The email settings relate to ACSIA server-side notifications via emails. This setting can be found in the Settings menu, in the Email tab.

Here you can set the sender's email and the name for it. For instance, if your organization's domain is called example.com you can set the email as no-reply@example.com and the name as Acsia Alerts and whitelist the accounts on your anti-spam filters to ensure you receive notifications from that email account.

As soon as you set this up, you will start receiving notification emails as per the setup.

If you experience issues in receiving email, the recommended action is to set up an actual real email account and configure Under the email notification, instead of setting a simple email and label, you can enable the SMTP and the Authentication methods where you can fill in the details of the email you wish to use as sender.


If you have trouble setting this up, you can check the following troubleshooting article: Set and Configure a real email account as a sender V5.0+.

 

emailsmtp.gif

 

9.9. Two-Factor Authentication

ACSIA offers a 2FA method that can be implemented during or after installation for enhanced security. We strongly recommend that 2FA is enabled for all users by navigating from Web UI to Settings > Two-Factor Authentication.

2fa2.gif

 

9.9.1. Enabling 2FA for ACSIA Web UI Login

We strongly recommend that the 2FA be enabled for the UI, especially if ACSIA users access the UI from the internet. Suppose the 2FA is enabled for WebApp login. In that case, all users will be provided with a QR code (which should be scanned by, e.g., Google Authenticator, FreeOTP, etc.), and must present the TOTP key each time they log in to the application along with traditional access credentials such as username and password.

 

9.10. Software Updates

This section will notify you when a new update is available. You will have to update ACSIA from the command line. 

 

9.11 Clients Uninstall

This section allows the user to Uninstall ACSIA (the action will remove all firewall rules, data shippers, and agents from all active hosts, including ACSIA itself. The action cannot be undone). This procedure should be performed only if you want to altogether remove ACSIA from one server and reinstall it from scratch to another (including the reinstallation of all the hosts). It's also required to free the ACSIA license otherwise, a reinstallation will not be possible.


 

10. Overview

10.1 Main Dashboard

ACSIA XDR Plus, as of V6.0.0 now has the Main Dashboard in its new interface. This dashboard can actively examine data with numerical, graphical, and mapping visuals. At first glance, Data related to the last ten days is presented. Data can be filtered according to a certain period using the filtering tool in the upper left corner.

 

dashboard3.png

 

By default, the following data sets are displayed in the dashboard with the corresponding quantitative results.

  • Number of Critical Alerts
  • Number of High Alerts
  • Number of Medium Alerts
  • Number of Low Alerts
  • Number of IoCs Blocked by ACSIA
  • Number of Attacks Blocked (IP Banned)

 

Graphically displayed data;
  • Attack Trends Line Graph
  • Top 10 Attacks by Category Graph
  • Top 10 Blocked Hosts (Prisma) Graph
  • Top 10 Offenders Graph
  • Top 10 Attacked Hosts Bar Graph
  • Top 10 Failed Logins Bar Graph
  • Top 10 Successful Logins Bar Graph
  • Top 10 Destinations Bar Graph

Geolocalized attack trends in the last ten days are shown on the world map.

The dashboard can be customized according to your needs.

 

10.2 Insights

The Insights area can be found on the left-hand sidebar menu under "Overview". This section contains multiple dashboards that ACSIA offers for deep investigations of events or even to generate reports and analytics. Each dashboard is visualized using OpenDashboard a web application offered by OpenSearch Stack. 

Each dashboard is self-described, as you will find it under the Insights area.

 

insights.png

 

The results in each tab can be filtered to include a wider or smaller time span. 

 


 

11. Hosts

11.1 Host List Section

Hosts list page shows the inventory of all devices connected to ACSIA in tablet mode and details of each table cell are briefly listed below:

  • Host Alias: where you can assign an alias name to recognise hosts easier
  • Hostname: this value is retrieved automatically from the host but the user can change the name
  • Host IP: the IP address through which the client is connected
  • OS (Operating System): displays the client operating system.
  • Agent Version: indicates the version of the agent (if it's the most recentversion, it will display "latest" in brackets next to the version of the agent)
  • Last seen: indicates when the agent last contacted the the ACSIA server
  • Status: contains the list and the status of all shippers that stream the client logs to the ACSIA server. There are five different status types:
    - Active - when the Agent is up and running
    - Idle - when the Agent and the Central Manager have not communicated for more than 1 hour
    - Disconnected - when they have not communicated for 24 hours
    - Error - when the Shippers are not running
    - Shipper Stopped - when the Shippers have been manually stopped
    - Isolated - when the Host is quarantined
  • Profiles: here you'll see the Profile of any Host that has been added
  • Risk: this section will show the result of basic security checks performed on each host
  •  

host.png

In the Host List section, hosts can be filtered according to their OS by clicking on the related tab. 

 


 

12. Events Section

12.1. Live Notifications

On the left side menu, Live Notifications contains a list of all live events that are not being actioned yet. All incoming security alerts will be listed in this section and by clicking on the Details arrow on each notification you can browse and explore the full details of a single incident/alert generated by ACSIA.

livenotification.png

 

There are also filters where the events can be displayed and searched by client IP, severity, category, and type of event.

 


 

13. Profiles

13.1 Host Insight

Host Insight is a new feature in v6.x.x that gives you a quick overview of the security posture of managed clients by assessing them using compliance and security checks.

 


 

14. Compliance

The Compliance area contains dashboards/reports relating to compliance and regulatory frameworks listed  below:

  • Security Information Management

  • Security events report

  • Integrity monitoring report

  • Threat Detection and Response

  • Vulnerabilities report

  • Mitre Att&ck

  • Auditing and Policy Monitoring

  • Policy monitoring dashboard

  • System auditing dashboard

  • Regulatory Compliance

  • GDPR

  • PCI DSS

  • HIPAA

  • NIST 800-53

  • TSC

compliance.png

 

Each dashboard is self-described under each tab. 

Regulatory compliance dashboards cover global regulatory regimes from GDPR, PCI DSS, NIST 800-53, HIPAA, TSC and Mitre Att&ck framework. ACSIA provides full control and visibility in real-time on compliance of IT systems, and if the systems are not compliant, it provides the exact failing point so it can be easily addressed. By clicking on "View", you'll be redirected to OpenDashboard where there is more detailed information according to the compliance dashboard selected.

 


 

15. Policies

ACSIA‘s Policies provides an inventory of what is allowed and not allowed on monitored clients. When ACSIA blocks traffic it utilizes individual clients' local firewalls (Windows firewall and routing table on Linux systems etc). The Policies section is divided into 5 subsections as follows:

  • IP Blacklist

  • IP Whitelist

  • Locked Users

  • Access Location

  • Muted Notifications

policies.png

15.1. IP Blacklist

The IP Blacklist contains all those source IP addresses that have been marked as malicious and unauthorized and therefore blacklisted (banned by hosts). You can undo an action if an IP address is mistakenly banned by a user. If the autoban feature is enabled, ACSIA will automatically handle all potential attacks and threats originating from outside of the organization (from the internet for example) whereas internal threats will always be notified for the ACSIA administrator to make the final decision.

15.2. IP Whitelist

The IP Whitelist contains all those source IP addresses that have been marked as trusted. Note that whitelisting an IP address does not include web requests (due to giving sensitivity to web application-level accesses). Therefore, when an IP address is whitelisted the whitelisting does NOT APPLY to web applications. Therefore traffic originating from that specific IP address is identified asa potential threat it will be subject to notification and alert.

15.3. Locked Users

The Locked Users contains specific users that are marked to be locked. They can be legitimate users who attempt to gain access to non-authorized areas. Alternatively, they may be malicious users that have compromised the legitimate account details of a user and have therefore been locked. ACSIA does not automatically block legitimate users, it always requires user input so it will be at the ACSIA administrator’s discretion to make that decision.

15.4. Access Location

The Access Location refers to those security events where legitimate access originates from a geographical location or an IP address that wasn’t authorized on ACSIA. These access requests need to be authorized or denied manually. If you authorize a location-based IP address for a user it is like whitelisting that user only for that IP address. On the other hand, if you mark a user unauthorized, that user will still be able to access and make attempts but you will be notified every time. So the Access Location is different from blacklisting an IP unless you add the IP manually to the blacklist.

15.5. Muted Notifications

The Muted Notifications refers to those security events that have been acknowledged legitimately by ACSIA administrators and/or security analysts. Once an incident is marked to be muted ACSIA will no longer notify that type of incident. All muted events can be unmuted at any time.

 


 

16. Audit Logs

Audit Logs is the section where you can find all events that have been actioned or amended and by whom (ACSIA users, who did what on web UI).

 


 

17. Distribution Lists

ACSIA enables you to create distribution lists where you can add members to each group and set the notification types to be sent to each distribution list. For instance, you can set a distribution list to receive only Critical or High or Medium/Low priority security alerts. Your C-Level management may not want to receive alerts outside Critical events and therefore a distribution list can be created to satisfy this requirement.

You will find the Distribution List on the left sidebar menu. To create a new distribution list just click "ADD NEW LIST".

 

distributionlist2.gif

 

Give a name to the Distribution List created and select the members by adding them to the list along with choosing the type of event (Critical, High or Medium/Low) that you wish the group should receive.

You are now all set to receive notifications through the distribution list.


 

18. Immediate Actions - Remediation options

It is highly likely that the Immediate Actions are going to be the most frequently used features of ACSIA by its users. You will often find these actions embedded in all incoming security events or email notifications. From there you can take immediate action and interactively mitigate the event for its remediation.

This is the Interactive feature of ACSIA where the user input is required for the remediation of events and threats:

The order of Immediate Actions (sometimes referred to as Remediation Options), supplied with the notifications dynamically changes based on the severity level of the event and the type of event. For instance, if there is a potential account compromise alert, the order of remediation action will be set on priority where the option appearing on the top will be the most logical choice followed by the second in the list, and so on. ACSIA users will benefit greatly from this feature even if they don’t have cybersecurity knowledge or have limited technical skills.

 

18.1 Immediate Actions or Remediation Options offered by ACSIA:

18.1.1. Kill this connection

By choosing this action the ACSIA user will be killing network traffic (in real-time) for that malicious IP address and suspending all traffic for that IP address for the next 15 minutes. Any established connection and new connection requests will be killed while attempting to broadcast.

 

18.1.2. Acknowledge and Authorize User/Location

By choosing this action you authorize that specific user and the associated IP address on a permanent basis to access your environment. That IP address will be whitelisted for ACSIA and therefore you will no longer receive an alert originating from that IP address associated with its user.

 

18.1.3. Mark This User/Location as Unauthorized

By choosing this action you ask ACSIA to keep notifying users about this event until you make a permanent decision to block authorize it. Use this for incidents where you have not yet decided to ban or authorize access made from an IP address.

 

18.1.4. Ban This IP

By choosing this action you permanently ban the IP address and therefore it will no longer be able to reach your systems.

 

18.1.5. Lock User

By choosing this action you lock the user account within your systems.

 

18.1.6. Track This IP

This action will take you to OpenDashboard application Dashboard where all network and server activity of that specific IP address will be populated to give full visibility of what’s happening.

 

18.1.7. Track This User

This action will take you to OpenDashboard application Dashboard where all network and server activity will be populated for that specific user by enabling you to establish the legitimacy of the user activity.

 

18.1.8. Whois Query

This is a domain name lookup service to search the whois database for domain and IP registration information. It gives relevant information about the ownership of the originating IP address.

 

18.1.9. View Details

This provides accurate details of the event, including the geographical location of the originating IP address and the geographical coordinates.

 

18.1.10. Close Incident

This is to simply disregard the event and if it reoccurs ACSIA will notify again.

 

18.1.11. Mute Notification

This action is to tell ACSIA to disregard and no longer notify when that specific event reoccurs.

 

18.1.12. Track Command Session - Only for Linux clients

This is an extremely powerful feature within ACSIA that is enabled by our Kernel level monitoring. From the moment that suspicious activity has been detected or a user has attempted to read or write to sensitive data or files, the alert will be triggered and real-time remediation actions provided. When you click on this Track Command Session you will be presented not only with that specific user activity that triggered the alert, but the entire session of the user in replay mode. This forensic level of detail will allow you to view the full activity performed by the user and therefore have an understanding of every keystroke action the user performed, what files were accessed, changes made etc…

18.1.13 Isolate This Server

This action will put the Server in quarantine and you'll find it in the Host List Section, in the tab "Quarantined Hosts".

18.1.14 Close All Similar Events on This Server

This option will close all similar events on the same server. 

18.1.15 Close All Similar Events on All Servers

This option will close all similar events on all the servers. 

 


 

19. Container-specific details

ACSIA is container-aware, and will automatically track kernel events within containers. However, if you are running application/webservers within containers, and wish for these logs to be monitored, they must be made available to the host. ACSIA does not support symlinks to log files - it must be the full path to the given log file.

Linux container logs can be presented to ACSIA by using docker options --volume or --mount. As per official docker documentation here. or here if you are using docker-compose.

 


For any further information and queries please get in touch with our support team by contacting us via our support portal (https://support.4securitas.com).

ACSIA is a product of 4Securitas Ltd.

Copyright 2022 4Securitas Ltd