Cisco Tetration - Hands-On Lab

Module26: Security Visibility & Monitoring

In this module we will review key security visibility and monitoring features of Tetration such as the Security dashboard, Vulnerability dashboard, and others. We’ll also investigate configuration of Alert triggers and the multiple alert destinations that can be configured.


Click here to view a video reviewing the Security and Vulnerability Dashboards.


Steps for this Module

Step 001 - Examine Vulerability Score
Step 002 - Review Vulnerability Score Help
Step 003 - Examine Process Hash Score
Step 004 - Review Process Hash Score Help
Step 005 - Change Scope to the nopCommerce application
Step 006 - Navigate to the Vulnerabilities Dashboard
Step 007 - View vulnerable Packages
Step 008 - View vulnerable Workloads
Step 009 - View CVE details
Step 010 - Review the CVE database
Step 011 - Change the Scope to the nopCommerce application
Step 012 - Examine the Remotely Exploitable vulnerabilities
Step 013 - Review vulnerable nopCommerce Workloads
Step 014 - Review IIS web server CVEs
Step 015 - Examine the NIST database
Step 016 - Navigate to vulnerabilities in the Workload Profile
Step 017 - Filter for high CVE score vulnerabilities
Step 018 - Review vulnerable packages
Step 019 - Review the Process Snapshot
Step 020 - Examine Process details
Step 021 - Navigate to the Vulnerability Dashboard
Step 022 - Change Scope to the OpenCart application
Step 023 - Select the Apache web server workload
Step 024 - Review the vulnerable packages
Step 025 - Examine the Process Snapshot
Step 026 - Review process details
Step 027 - Navigate to Applications
Step 028 - Manage Alerts for an Appication Workspace
Step 029 - Configure Compliance Alerts
Step 030 - Review current alerts
Step 031 - Filter alerts by severity
Step 032 - Navigate to alert configuration
Step 033 - View alert destinations


Step 001

Click on the Vulnerability Score on the main dashboard to view Vulnerability Score Help.

Step 002

The help screen provides explanation of the vulnerability score, how it is calculated, and details on how to improve the score.

Step 003

Scroll down and click on the Process Hash score to reveal Process Hash help.

Step 004

The help screen provides information on what agents are supported as well as how the score is calculated and how to improve the score. Each of the vulnerability score sections has a similar help screen.

Step 005

By default you are viewing the overall score for all applications and workloads that are installed with Tetration sensors. It is also possible to drill down to a specific application by changing the Scope. Change the scope to the nopCommerce application and review how the dashboard has changed to now more specific scores for the nopCommerce application and workloads.

Step 006

Navigate to the Vulnerability dashboard.

Step 007

There are three main tabs; CVEs, Packages, and Workloads. Click on the Packages tab and review the vulnerable packages.

Step 008

Click on the Workloads tab. This shows all of the workloads in the environment that are installed with Tetration sensors and their CVE score.

Step 009

Go back to the CVEs tab and click on one of the CVEs. This will launch a web browser to the NIST National Vulnerability Database which includes all of the details about the vulnerability.

Step 010

Clicking a CVE will launch a web page similar to the one below.

Step 011

It is also possible to filter to a specific application in the vulnerability dashboard by changing the Scope. Change the scope to the nopCommerce application.

Step 012

Click on the Remotely Exploitable Low Complexity indicator on the dashboard. A list of CVEs will be shown below.

Step 013

Click on the Workloads tab, and then click on the IIS web server.

Step 014

Click on one of the CVEs on the Workload Vulnerability Details screen. This will once again open a browser to the National Vulnerability Database for the specific details on the vulnerability.

Step 015

A page such as the one shown below will be displayed.

Step 016

Click on the link to the IIS web server at the top of the Workload Vulnerability Details screen. This launches into the Workload Profile Vulnerabilities tab.

Step 017

Here you can view all of the vulnerabilities associated with the server, and can filter the output based on many factors including severity. Enter the filter Score (V2) >= 9 to view vulnerabilities with CVE score of 9 or above.

Step 018

Click on the Packages tab. A list of all of the packages running on the machine is displayed. If a package has vulnerabilities, it will have a warning sign next to it and you can click on the warning sign to view the vulnerabilities for that package.

Step 019

Click on the Process Snapshot tab. The process snapshot shows all of the processes that have been seen and that are currently running on the machine. It displays processes launched as regular users as well as those launched by privileged users. Hover your mouse over the dots to view the processes.

Step 020

You can also get more details about a process by clicking on it. Click on a process to view the details.

Step 021

Navigate to the Vulnerability Dashboard.

Step 022

Change the Scope to OpenCart.

Step 023

Click on the Workloads tab, and then click on the Apache web server.

Step 024

Click on the link to the Apache web server.

Step 025

Click on the Process Snapshot tab. Several of the processes on the Apache web server have vulnerabilities, which are shown on the process tree with an orange triangle. Click on one of the vulnerabilities.

Step 026

Clicking on a vulnerable process shows the process details, along with the links to the vulnerabilities in the CVE database.

Step 027

Next we will explore the ability of Tetration to send notifications upon detected events. Navigate to Application Workspaces and select any application workspace. Then click on the Enforcement tab.

Step 028

Click on Manage Alerts.

Step 029

Here we can configure alerts to be generated when Rejected flows exceed a specified threshold, or when Escaped or Misdropped flows are reported. Enter the criteria Enforcement Rejected Flows > 0 and set the Severity to High. Optionally, you can choose to receive flow details with the alerts and/or an hourly or daily summary of all alerts.

Step 030

To view alerts within Tetration, click on Alerts and Current Alerts.

Step 031

Here you can see all of the alerts that have been generated, and can filter the alerts by severity, alert type, alert text, or status.

Step 032

Click on Alerts and then Configuration.

Step 033

Here you can configure alert destinations for each type of alert. The internal Kafka data tap is where the alerts we just viewed are stored. Alerts can also be sent to an External Kafka data tap, Syslog, E-Mail, Slack, Pager Duty or Kinesis.

YOU HAVE FINISHED THIS MODULE

Return to Table of Contents Go to Top of the Page Continue to the Next Module