Difference between revisions of "KHIKA App for IIS WebServer"

From khika
Jump to navigation Jump to search
(Report_IIS_Webserver_Traffic_Categorization Dashboard)
(Some suggestions for useful interaction with this dashboard could be :)
 
(103 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Introduction ==
 
== Introduction ==
  
IIS webserver form an important part of organisations’ networks and hence by monitoring your webserver is imperative.
+
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.
  
 
With KHIKA App for IIS webserver, you can :
 
With KHIKA App for IIS webserver, you can :
*Monitor hundreds of IIS servers at one central place.
+
*Monitor hundreds of IIS servers at a central place.
*Monitor and shows the http error status for accessed URL on your server.
+
*Monitor and see the http error trends.
*Monitor and shows top n URL and also shows average time taken,total time taken  by particular URL on your server.
+
*Monitor top n URLs serviced / requested and their statistics.
*monitor user wise total request on your servers.
+
*See user wise request distribution on your servers
 +
 
 +
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.
  
We explain below steps to configure and interpret the output of KHIKA App for IIS Webserver.
 
 
The key parts to get here are:  
 
The key parts to get here are:  
 
#Install the KHIKA App for IIS Webserver
 
#Install the KHIKA App for IIS Webserver
 
#Get data from your IIS Webserver into KHIKA Aggregator
 
#Get data from your IIS Webserver into KHIKA Aggregator
 +
 
== How to Install the KHIKA App for IIS WebServer? ==
 
== How to Install the KHIKA App for IIS WebServer? ==
  
 
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.
 
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.
  
This section explains how to pick and install the KHIKA application for IIS WeServers. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured.  
+
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured.  
  
 
Go to “Applications” tab in the “Configure” menu.  
 
Go to “Applications” tab in the “Configure” menu.  
  
[[File:Win1.jpg|500px]]
+
[[File:node.jpg|500px]]
  
 
Check whether the appropriate Workspace is selected.
 
Check whether the appropriate Workspace is selected.
Note: Application is always loaded in a Workspace. Read the section on [[Workspaces in KHIKA|Workspaces]] to know more about KHIKA Workspaces.
+
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.
 
Also select your KHIKA aggregator name in the Node dropdown.  
 
Also select your KHIKA aggregator name in the Node dropdown.  
 
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.
 
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.
  
[[File:Win2.jpg|500px]]
+
[[File:install_app.jpg|500px]]
  
Click on the “+” button next to the Windows Server App. A pop up appears.
+
Click on the “+” button next to the IIS WebServer App. A pop up appears.
  
[[File:Win3.jpg|500px]]
+
[[File:install_app1.jpg|500px]]
  
 
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them.  
 
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them.  
Similarly you can select contents from Alerts and Dashboards.
+
Similarly you can select contents from Alerts and Dashboards.</br>
 
   
 
   
[[KHIKA Reports|What are KHIKA Reports]]
+
[[KHIKA Reports|What are KHIKA Reports]]</br>
  
[[KHIKA Dashboards|What are KHIKA Dashboards]]
+
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br>
  
[[KHIKA Alerts|What are KHIKA Alerts]]
+
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br>
  
 
Click “Install” to proceed with the installation of the selected Application.  
 
Click “Install” to proceed with the installation of the selected Application.  
If you have created multiple windows workspaces in KHIKA, and installed Windows App previously, you will get below pop up.  
+
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up.  
  
[[File:Win4.jpg|500px]]
+
[[File:App_alredy.JPG|500px]]
  
 
Click on OK to proceed. If this is not the case, ignore this step.  
 
Click on OK to proceed. If this is not the case, ignore this step.  
 
After successful installation, following status should be displayed.  
 
After successful installation, following status should be displayed.  
  
[[File:Win5.jpg|500px]]
+
[[File:install_status.jpg|500px]]
  
 
Click on Close button.
 
Click on Close button.
Line 58: Line 60:
 
== How to get your IIS WebServer data into KHIKA ? ==
 
== How to get your IIS WebServer data into KHIKA ? ==
  
KHIKA recommends, popular open source OSSEC integration to monitor the Windows servers.  
+
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers.  
 
There are 2 components in OSSEC Integration with KHIKA.  
 
There are 2 components in OSSEC Integration with KHIKA.  
#OSSEC Agent – Installed on each Windows server which we wish to monitor
+
#OSSEC Agent – Installed on each server which we wish to monitor
 
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)
 
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)
  
 
The OSSEC agent and server communicate with each other using a unique key for encryption.  
 
The OSSEC agent and server communicate with each other using a unique key for encryption.  
The main steps to start getting data from a Windows server are  
+
The main steps to start getting data from a IIS Webserver are :
#Add the Windows server details in KHIKA
+
#Add the webserver details in KHIKA
 
#Extract a unique key for this device from KHIKA
 
#Extract a unique key for this device from KHIKA
#Installing Ossec Agent on Windows Server
+
#Installing Ossec Agent on Webserver
#Insert this key in the Ossec agent (ie. on your Windows server to be monitored)
+
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)
 
#Reload Configuration in KHIKA
 
#Reload Configuration in KHIKA
 
#Verify data collection in KHIKA
 
#Verify data collection in KHIKA
Line 78: Line 80:
 
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon.  
 
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon.  
  
[[File:Win6.jpg|500px]]
+
[[File:iis_manage_device_1.jpg|500px]]
  
 
Pop up appears for device details  
 
Pop up appears for device details  
Line 86: Line 88:
 
Click on “Add / Modify Device” tab. Another pop up appears for device details.
 
Click on “Add / Modify Device” tab. Another pop up appears for device details.
  
[[File:Win8.jpg|500px]]
+
[[File:list_device_11.jpg|500px]]
  
 
Enter the expected device name. Also, in the field for IP address, enter “any”.  
 
Enter the expected device name. Also, in the field for IP address, enter “any”.  
Line 94: Line 96:
 
Click on Submit. We get a success message and device is added successfully to this adaptor.  
 
Click on Submit. We get a success message and device is added successfully to this adaptor.  
  
[[File:Win9.jpg|500px]]
+
[[File:iis_adding_device.jpg|500px]]
  
 
Finally, go to Workspace tab and click on “Apply Configuration” icon.
 
Finally, go to Workspace tab and click on “Apply Configuration” icon.
  
[[File:Win10.jpg|500px]]
+
[[File:iis_10_1.jpg|500px]]
  
 
We get a confirmation message here too, saying, “Changes Applied”
 
We get a confirmation message here too, saying, “Changes Applied”
 
  
 
== Extract key from KHIKA OSSEC Server ==
 
== Extract key from KHIKA OSSEC Server ==
  
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .
+
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .
  
[[File:Win11.jpg|500px]]
+
[[File:iis_manage_device_1.jpg|500px]]
  
 
A pop up with device details of the adaptor appears. Select “List of Devices” tab.
 
A pop up with device details of the adaptor appears. Select “List of Devices” tab.
  
[[File:Win12.jpg|500px]]
+
[[File:iis_12.jpg|500px]]
  
 
Click on the “Get OSSEC Key” icon next to this device.  
 
Click on the “Get OSSEC Key” icon next to this device.  
  
[[File:Win13.jpg|500px]]
+
[[File:get_ossec_key_1.jpg|500px]]
  
[[File:Win14.jpg|500px]]
+
[[File:iis_extract_key.jpg|500px]]
  
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.
+
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.
  
== Installing OSSEC Agent for Windows ==
+
== Installing OSSEC Agent for IIS WebServer ==
  
Download OSSEC agent for Microsoft Windows from KHIKA install directory. The agent is shipped with KHIKA installer and is located on KHIKA Server in /opt/KHIKA/UTILS/OSSEC directory. For Windows you will need to select the Windows installer with filename ossec-win32-agent.zip. This works for both 32-bit and 64-bit windows servers OS versions.
+
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br>
 +
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.
  
Copy the downloaded installer on your Windows server (using winscp or your favourite scp client) and run installer with local "Admin" on the Server.  
+
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server.  
 
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.
 
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.
 
Select the installer file and Press "Run"
 
Select the installer file and Press "Run"
Line 147: Line 149:
 
[[File:Win19.jpg|500px]]
 
[[File:Win19.jpg|500px]]
  
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your Windows Server. (Go to your Service Control Panel and check for OSSEC HIDS Service)
+
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)
  
 
[[File:Win20.jpg|500px]]
 
[[File:Win20.jpg|500px]]
  
NOTE :- You will have to repeat these steps on all the Windows Servers that you wish to monitor using KHIKA.
+
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.
  
 
== Insert unique OSSEC key in Windows OSSEC Agent ==
 
== Insert unique OSSEC key in Windows OSSEC Agent ==
  
Perform following simple steps on the Windows Agent  
+
Perform following simple steps on the Agent on your Webserver :
 
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.
 
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.
  
Line 167: Line 169:
 
Wait for a few minutes. Repeat above steps for all the agents to be added.
 
Wait for a few minutes. Repeat above steps for all the agents to be added.
  
== How to check the output of KHIKA Windows App ? ==
+
== Reload Configuration ==
 +
 
 +
Login into the KHIKA portal.
 +
*Go to Configure
 +
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)
 +
*Go to Node Tab
 +
*Click Reload Config
 +
 
 +
[[File:reload_conf.jpg|500px]]
 +
 
 +
This step restarts OSSEC Server.
 +
Wait for a few minutes for server to restart.
 +
 
 +
== Verifying OSSEC data collection ==
 +
 
 +
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu.
 +
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here.
 +
 
 +
[[File:Win24.jpg|500px]]
 +
 
 +
To see the data for our newly added device, enter search string in lower case –
 +
tl_src_host : name_of_the_device_added_in_lower_case
 +
and click on the search icon.
 +
 
 +
== How to check the output of KHIKA IIS WebServer App ? ==
  
  
=== Report_IIS_Webserver_Http_Error_Status Dashboard ===
+
=== IIS Webserver Http Error Status Dashboard ===
  
 
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed  most,Server IP and HTTP status code.   
 
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed  most,Server IP and HTTP status code.   
Line 177: Line 203:
  
 
{| class="wikitable"
 
{| class="wikitable"
|+ style="caption-side:bottom; color:#e76700;"|''Report_IIS_Webserver_Http_Error_Status Dashboard''
+
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''
 
|-
 
|-
 
|'''Visualization'''
 
|'''Visualization'''
Line 183: Line 209:
 
|-
 
|-
 
|Server IP wise Status
 
|Server IP wise Status
|X axis : ServerIP(s)<br/> Y axis : ServerIP wise status code like 400.
+
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.
 
|-
 
|-
 
|Client IP wise Status
 
|Client IP wise Status
|X axis : ClientIP(s)<br/> Y axis : ClientIP wise status code like 400.
+
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.
 
|-
 
|-
 
|Time trend
 
|Time trend
|X axis : date & time<br/>Y axis : count of events
+
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events
 
|-
 
|-
 
|Summary Table
 
|Summary Table
Line 198: Line 224:
 
==== Some suggestions for useful interaction with this dashboard could be : ====
 
==== Some suggestions for useful interaction with this dashboard could be : ====
  
#In the graph "Server IP wise Status" , click and select any one serverIP. This shall isolate respective status code  and URL accessed for that selected serverIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.
+
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.
#alternatively,In the graph  "Client IP wise Status " click and select any one clientIP. This shall isolate respective status code and URL accessed for that selected user and reflected across the dashboard.
+
#Alternatively, in the graph  "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.
  
=== Report_IIS_Webserver_Top_N_URL Dashboard ===
+
=== IIS Webserver Top N URL Dashboard ===
 
+
This dashboard shows top URL's. Also gives the detail about domain and top hits on server.  
+
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server.  
  
 
==== Elements in the Dashboard are explained below : ====
 
==== Elements in the Dashboard are explained below : ====
  
 
{| class="wikitable"
 
{| class="wikitable"
|+ style="caption-side:bottom; color:#e76700;"|''Report_IIS_Webserver_Top_N_URL Dashboard''
+
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''
 
|-
 
|-
 
|'''Visualization'''
 
|'''Visualization'''
Line 214: Line 240:
 
|-
 
|-
 
|Contribution of URL
 
|Contribution of URL
|This pie chart shows different types of URL accessed by server.
+
|This pie chart shows different URLs accessed by server.
 
|-
 
|-
 
|Server Name wise Hits
 
|Server Name wise Hits
 
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.
 
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.
 +
|-
 +
|Time trend
 +
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events
 
|-
 
|-
 
|Contribution of Domain
 
|Contribution of Domain
Line 229: Line 258:
 
==== Some suggestions for useful interaction with this dashboard could be : ====
 
==== Some suggestions for useful interaction with this dashboard could be : ====
  
#On the bar graph "Server Name wise Hits" select any one serverIP. This shall isolate the count of requested hits for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.  
+
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse.  
#Inversely, In the "Contribution of Domain" pie,click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.
+
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.
  
=== Report_IIS_Webserver_Total_Request_Per_User Dashboard ===
+
=== IIS Webserver Total Requests Per User Dashboard ===
  
This dashboard shows user wise  total requests.
+
This dashboard shows detailed information of users and requested URLs which are accessed by users.
  
 
==== Elements in the Dashboard are explained below : ====
 
==== Elements in the Dashboard are explained below : ====
  
 
{| class="wikitable"
 
{| class="wikitable"
|+ style="caption-side:bottom; color:#e76700;"|''Report_IIS_Webserver_Total_Request_Per_User Dashboard''
+
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''
 
|-
 
|-
 
|'''Visualization'''
 
|'''Visualization'''
Line 245: Line 274:
 
|-
 
|-
 
|Contribution of Server Name
 
|Contribution of Server Name
|Contribution of servers.
+
|This pie chart shows contribution of servers.
 
|-
 
|-
 
|User wise Request
 
|User wise Request
Line 260: Line 289:
 
==== Some suggestions for useful interaction with this dashboard could be : ====
 
==== Some suggestions for useful interaction with this dashboard could be : ====
  
#In the graph "User wise Request " , click and select any one user. This shall isolate the requested hits for that selected user and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.
+
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.
#In the pie  "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.
+
#In the pie  "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.
  
=== Report_IIS_Webserver_Traffic_Categorization Dashboard ===
+
=== IIS Webserver Traffic Categorization Dashboard ===
  
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows serverip  wise category , top URL's and Servers.
+
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URLs and Servers.
  
 
==== Elements in the Dashboard are explained below : ====
 
==== Elements in the Dashboard are explained below : ====
  
 
{| class="wikitable"
 
{| class="wikitable"
|+ style="caption-side:bottom; color:#e76700;"|''Report_IIS_Webserver_Traffic_Categorization Dashboard''
+
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''
 
|-
 
|-
 
|'''Visualization'''
 
|'''Visualization'''
Line 276: Line 305:
 
|-
 
|-
 
|Server IP wise Category
 
|Server IP wise Category
|X axis : ServerIP<br/> Y axis : count of Category.
+
|X axis : Server IPs<br/> Y axis : count of Category.
 
|-
 
|-
 
|Client IP wise Referrer
 
|Client IP wise Referrer
|X axis : ClientIP<br/> Y axis : count of Referrer.
+
|X axis : Client IPs<br/> Y axis : count of Referrer.
 
|-
 
|-
 
|Contribution of URL
 
|Contribution of URL
|Contribution of different types of URL  
+
|This pie chart shows contribution of different types of URL  
 
|-
 
|-
 
|Contribution of Category
 
|Contribution of Category
|Contribution of different types of Category.
+
|This pie chart shows contribution of different types of Category.
 
|-
 
|-
 
|Contribution of Referrer
 
|Contribution of Referrer
|Contribution of different types of Referrer.
+
|This pie chart shows contribution of different types of Referrer.
 
|-
 
|-
 
|Time trend
 
|Time trend
Line 299: Line 328:
  
 
==== Some suggestions for useful interaction with this dashboard could be : ====
 
==== Some suggestions for useful interaction with this dashboard could be : ====
 +
#On the bar graph "Server IP wise Category" select any one server IP. This isolates respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.
 +
#Inversely, in the bar graph "Client IP wise Referrer", click on any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.
  
=== Windows Server Hardening Dashboard ===
+
=== IIS Webserver Top N Referrers Dashboard ===
  
Server Hardening is the process of enhancing server security through a variety of means which results in a more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process. KHIKA checks each server against out-of-box server hardening policies to ensure your servers are securely configured. It helps you to pinpoint and tune the exact details on hosts for better security posture.
+
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.
The server hardening policies against which the servers are checked can be seen here.
 
  
 
==== Elements in the Dashboard are explained below : ====
 
==== Elements in the Dashboard are explained below : ====
 
  
 
{| class="wikitable"
 
{| class="wikitable"
|+ style="caption-side:bottom; color:#e76700;"|''Windows Server Hardening Dashboard Details''
+
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''
 
|-
 
|-
 
|'''Visualization'''
 
|'''Visualization'''
 
|'''Description'''
 
|'''Description'''
 
|-
 
|-
|Contribution of status pie chart
+
|Contribution of Domain
|Failed or Passed compliance status
+
|This pie chart shows contribution of different types of Domain.
 
|-
 
|-
|Server wise Hardening Status
+
|Server Name wise Hits
|X axis : Windows servers added into KHIKA<br/>Y Axis : stacked within each bar (server) the count of failed / passed events for various rules / policies
+
|X axis : Server Names<br/> Y axis :Server name wise hits.
 
|-
 
|-
|Policy wise status
+
|Contribution of Referrer
|X axis : Policy names<br/> Y axis : stacked with each bar (policy) count of failed or passed servers for that policy
+
|This pie chart shows contribution of different types of Referrers.
 
|-
 
|-
 
|Time trend
 
|Time trend
Line 330: Line 359:
  
 
|}
 
|}
 
  
 
==== Some suggestions for useful interaction with this dashboard could be : ====
 
==== Some suggestions for useful interaction with this dashboard could be : ====
  
#Click on “Failed” in the “Contribution of Status” pie chart. The rest of the dashboard gets filtered and shows only Failed events. Enables having an easier look at the servers / policies which failed more often
+
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only.  
#Click on a particular server in the bar “Server Wise Hardening Status”. Also click on the “Failed” in the above pie. This isolates the actionable inputs that you need to tune the server in question.
+
#Inversely, in the "Contribution of Domain" pie, click on any one domain to select and rest of the elements on the dashboard then show data for that domain only.
  
 +
=== IIS Webserver Referrer Detail Dashboard ===
  
=== KHIKA Alerts for Windows  ===
+
This dashboard shows referrer details. Also it shows top URLs, Referrer, client IP,  which are requested for any URL and server IP.
  
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here
+
==== Elements in the Dashboard are explained below : ====
Click on “Alert Dashboard” on left menu.
 
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :
 
 
 
==== Alerts Description ====
 
  
 
{| class="wikitable"
 
{| class="wikitable"
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''
+
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''
 
|-
 
|-
|'''Alert Name'''
+
|'''Visualization'''
 
|'''Description'''
 
|'''Description'''
|'''Suggested Resolution'''
 
 
|-
 
|-
|Malicious account creation followed by failed authorization
+
|Contribution of Referrer
|A new account is created and then there is login failure thrice on the same within 30 minutes. When these events occur in this order, it triggers this alert.
+
|This pie chart shows contribution of different Referrers.
|Soon after the user creation someone might start guessing the password. This could be an attempt to compromise the account. This happens in organisations where account creation is automated and insiders know (or can guess) the usernames. There are typical default passwords that someone can guess and in the attempt to guess the password, there are multiple login failures. This should raise suspicion. <br/><br/>
 
Check with the affected user and disable the account if suspicion is raised. Further investigation may involve tracing the system from where these authentication attempts were made and trigger investigation on that system.
 
 
|-
 
|-
|Event log cleared
+
|Contribution of URL
|When eventid 1102 occurrs, that the Windows system;s event log has cleared - this alert is triggered.
+
|This pie chart shows contribution of different URLs .
|Attempt to destroy the evidence by deleting the event logs. Attacker typically do this to delete the traces of their activities.<br/><br/>
 
It could be a false positive as many systems are scheduled to delete the logs at a periodic interval or upon reaching a size. In such cases whitelisting can be done and this event can be ignored. Otherwise, it warrants investigation.
 
 
|-
 
|-
|User account deleted
+
| Server IP wise Hits
|Event of user deletion has occured (eventid 4726)
+
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.
|Sometimes an attacker deletes the compromised account after performing the intended tasks. This could be an intentional attempt to wipe-out the evidence or cause harm to legitimate user/s by deleting their accounts. The application accounts when deleted can cause outages.<br/><br/>
 
Please check what account was deleted and who deleted the account. If appropriate approvals were not in place to delete the account, this should raise suspicion and issue needs further investigation. The person deleting the account should be questioned.
 
 
|-
 
|-
|Suspicious authentication attempts
+
| Client IP wise Hits
|A disabled or unknown user is trying to login and a login failure event occurs.
+
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.
|A disabled user trying to login may mean an account compromise attempt. Many a times employees leave the organisation or application accounts are disabled after their job is done and after sometime someone tries to use the disabled accounts to launch an attack. Ideally, a disabled user should not try to login.<br/><br/>
 
Check with the affected user.<br/>
 
Trace end-node/terminal from where the login attempts were made.
 
 
|-
 
|-
|Concurrent logins or password sharing
+
|Time trend
|Same user has logged in from multiple servers within 5 minutes. This pattern triggers this alert.
+
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events
|There are very few legitimate reasons for the same user to be connected to a server from several different workstations.<br/><br/>
 
Same user suddenly logging into to multiple servers is suspicious and could mean a compromised account.<br/><br/>
 
Check with the affected user and disable the account if suspicion is raised. Further investigation may involve tracing the system from where these logins were made and trigger investigation on that system. Process tracking and investigating logs prior to successful logins may be useful.
 
 
|-
 
|-
|User account unlocked
+
|Summary Table
|Alert triggered when event of account unlocked has occurred (eventid 4767)
+
|Detailed data with timestamp and count
|A brute force attack tries to guess-n-crack the passwords. This results into multiple login failures and if appropriate account lock-out policy is configured, the victim account gets locked. This is a safety mechanism to thwart the further attempts of the attackers and prevents the possible password crack. The locked accounts get automatically unlocked after some time, if such policy is configured. In some cases, AD admin can manually force account unlocks and brute force attacks resume immediately after that. Such unlocked accounts should be tracked and investigated if they are being targeted by brute-force-attackers.<br/><br/>
+
 
If intentional brute-force attempts are confirmed, the auto-unlock feature must be disabled till you fix the brute-force attempts as the auto unlock feature actually helps the attacker
+
|}
 +
 
 +
==== Some suggestions for useful interaction with this dashboard could be : ====
 +
 
 +
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.
 +
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also show referrer and accessed URLs for that client IP reflected across the dashboard.
 +
 
 +
=== IIS webserver loading delays Dashboard ===
 +
 
 +
This dashboard has information for total time taken, average time taken for accessed URI ,server IP.
 +
 
 +
==== Elements in the Dashboard are explained below : ====
 +
 
 +
{| class="wikitable"
 +
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''
 
|-
 
|-
|Suspicious activity on server
+
|'''Visualization'''
|Alert triggered when one or more suspicious events have occurred within 5 minutes. The events are mentioned in the next columns.
+
|'''Description'''
|Triggered for any of the following :<br/></br>
 
Event ID 1102: The audit log was cleared. Here an attacker may be trying to destroy the audit trail of evidence being recorded in the event logs.</br>
 
EventID 1104:  The security log is now full. Attacker floods the system with security events (such as logon failure) so much so that security logs reach its pre-defined size limit and then no event can be logged into the system. This enables the attacker to perform the further actions without leaving any traces of evidence behind in the system's security logs.</br>
 
EventID 1100: The event log service was shutdown. After event log service is shutdown, no event can be logged into the system. This would enable the attacker to perform the actions without leaving any traces of evidence behind in the system's security logs.</br>
 
EventID 1108 : The event logging service encountered an error. After event log service encounters an error, no event can be logged into the system. This would enable the attacker to perform the actions without leaving any traces of evidence behind in the system's security logs.</br>
 
EventID 4608 : Windows is starting up. Abrupt shutdown and restart, perhaps without following change request.<br/>
 
EventID 4609 : Windows is shutting down. Abrupt shutdown, perhaps without following change request.<br/>
 
EventID 4616 : The system time was changed. <br/><br/>
 
All the events listed here are suspicious events. Though many a times these events can be legitimate and part of the normal procedure (such as daily jobs scheduled to clear the event logs or normal reboot of the system after applying a patch), it cannot be left unnoticed. Appropriate justification has to be in place before closing these alerts.</br>
 
In case of suspicion, it is worth carefully looking at the events before and after the alert (especially, logon activity and process creation events)
 
 
|-
 
|-
|Possible compromise to scheduled task
+
|URL wise Total Time
|A user has logged in and scheduled task activities have occurred from the same account and host within 60 minutes.
+
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.
|An attacker may login and immediately create a windows task. If logon and task creation events happen in abnormally close proximity to the login event, then it could be an attack.<br/><br/>
 
Check the user who logged in.<br/>
 
Check the terminal/workstation from where the user logged in.<br/>
 
Check the created task.<br/>
 
In case of suspicion, (a) disable the user (b) delete the task (c) check the user login and source.<br/>
 
Investigate the user in question and take clues from workstation used for login.<br/>
 
 
|-
 
|-
|New user immediately added to sensitive group
+
|Server IP Hits
|A new user created followed by the new user account being enabled followed by the newly created user being added to security group all events within one minute - in this order triggers this alert
+
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.
|A newly created user getting added immediately to a security group could raise suspicion. It may be an attack where the attacker creates a rogue user and adds it to a security sensitive group. It can even be an insider who may add a new (and perhaps an existing) user to a security sensitive group which may compromise the security posture.<br/><br/>
 
The affected user and the affecting user, both must be consulted. Check if the change requests, approvals and all the processes were followed.
 
 
|-
 
|-
|Successful brute force attack doing changes
+
| Contribution of Server IP
|Alert triggered as - 5 failed login attempts followed by a successful login attempt followed by a change in the same account (eventid 4738) - occurred in this order
+
|This pie chart shows contribution of different types of server IP.
|This is a typical successful brute force attack. Several failed login attempts may indicate that the user was trying to guess the password and may not be the legitimate user. A successful login followed by multiple unsuccessful attempts means that password guess was finally correct. Followed by this, was the change in user account (which could be the password, name etc.). This is highly suspicious series of events and must be inspected.<br/><br/>Check with affected user immediately. If the user has not done the logins, immediately disable the user and trigger further investigation by collecting the logs of the system from where the login attempts were made, last interactive login on that system so that we can try and track the real user who launched this attack.
 
 
|-
 
|-
|Account locked out
+
|Time trend
|Alert triggered when an account is locked out (eventid 4740)
+
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events
|Multiple and consecutive login failures within a short time span can cause the account to get locked out as per the policy defined by the organisation. This could be an indication of a possible brute-force attack. When happens multiple times on the same account, can be treated as an early clue of a brute-force attack if it happens to the same user multiple times.
 
 
|-
 
|-
|System time changed
+
|Summary Table
|This alert is triggered when system time is observed to be changed on any windows machine (eventid 4616)
+
|Detailed data with timestamp and count
|Attackers sometime compromise the system and change the system time which results into many application failures. It could spoil the audit trail and logs after the timestamp of the events change.<br/><br/>
+
 
 +
|}
 +
 
 +
==== Some suggestions for useful interaction with this dashboard could be : ====
 +
 
 +
#In the bar graph "URL wise Total Time" click and select any one URL. The rest of the dashboard shall show total time required for that selected URL, count of most expensive request for that URL and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.
 +
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.
 +
 
 +
=== IIS Webserver Avg Qtime Dashboard ===
 +
 
 +
This Dashboard shows the average time taken by accessed URL and it's query.  
  
Check with system admin if this was done intentionally. If not, one must investigate further by<br/>
+
==== Elements in the Dashboard are explained below : ====
1) checking the interactive logins that happened near this event.<br/>
 
2) checking any other alerts generated during the same time on this system<br/><br/>
 
  
This can be a false positive if NTP service is doing it to synchronise the time with the NTP server. In such cases, the user is seen as SYSTEM in the event.<br/>
+
{| class="wikitable"
 +
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''
 +
|-
 +
|'''Visualization'''
 +
|'''Description'''
 +
|-
 +
|URL wise Hits
 +
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.
 +
|-
 +
|Server IP Hits
 +
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.
 
|-
 
|-
|Unauthorised user creating a user
+
| Contribution of Query
|Event in which a new user is created (eventid 4720) by another user who is not an admin
+
|This pie chart shows contribution of different types of Query.
|After compromising a system, an attacker would typically create a user (with admin privileges). This user will then be used for other attacks, lateral movement etc. Sometimes, the internal admins may abuse their rights and create users for convenience which may change or compromise the security posture of the whole system.<br/><br/>
 
Check if the created user was create by authorized person.<br/>
 
Check if all change controls and approvals were sought as per the standard operating procedure.<br/>
 
Check if the newly created user was created with appropriate  nomenclature, minimum rights etc.<br/><br/>
 
If any of the above is violated, then disable the user until appropriate justification is gathered.
 
 
|-
 
|-
|Successful Brute Force Attack
+
|Time trend
|Events of five failed logins followed by successful login within 30 minutes have occurred in this order
+
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events
|This sequence of events indicates a successful brute force attack where multiple login failure events (4624) were a result of password guess attempts and the successful login followed by that (4625) indicating a success guess of the password.<br/><br/>
+
|-
Check with the affected user and disable the account if suspicion is raised. Further investigation may involve tracing the system from where these logins were made and trigger investigation on that system. Process tracking and investigating logs prior to successful logins may be useful.
+
|Summary Table
 +
|Detailed data with timestamp and count
  
 
 
|}
 
|}
  
== Reload Configuration ==
+
==== Some suggestions for useful interaction with this dashboard could be : ====
  
Login into the KHIKA portal.  
+
#In the pie chart "Contribution of Query" select any top Query. This shall isolate the count of hits for selected query and also server IP for that selected query across the dashboard.  
Go to Configure, Select workspace, eg. WINDOWS_SERVERS  Go to Node Tab  Click Reload Config
+
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name  for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.
  
[[File:Win23.jpg|500px]]
+
=== KHIKA Alerts for IIS WebServer  ===
  
This step restarts OSSEC Server.
+
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here
Wait for a few minutes for server to restart.
+
Click on “Alert Dashboard” on left menu.
== Verifying OSSEC data collection ==
+
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :
  
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu.
+
==== Alerts Description ====
Select the appropriate index for the same. Raw (khika formatted) data of all your Windows servers added is seen here.
 
  
[[File:Win24.jpg|500px]]
+
{| class="wikitable"
 
+
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''
To see the data for our newly added device, enter search string in lower case –
+
|-
tl_src_host : name_of_the_device_added_in_lower_case
+
|'''Alert Name'''
and click on the search icon.
+
|'''Description'''
 +
|'''Suggested Resolution'''
 +
|-
 +
|IIS communication with possible  IOC or  bad  IP
 +
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.
 +
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.
 +
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration.
 +
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.
 +
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.
 +
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.
 +
It is critical to block this rogue communication.
 +
|-
 +
|IIS dangerous content posted to webserver,files with executable extensions
 +
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.
 +
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.
 +
Kindly check upload activity done by the user and verify the uploaded content for policy violation.
 +
|-
 +
|IIS multiple errors for same URL when it is not accessible
 +
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.
 +
|Getting multiple errors for the same url.
 +
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.
 +
Kindly check the legitimacy of the requesting users.
 +
|}

Latest revision as of 07:42, 7 April 2020

Contents

Introduction

IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.

With KHIKA App for IIS webserver, you can :

  • Monitor hundreds of IIS servers at a central place.
  • Monitor and see the http error trends.
  • Monitor top n URLs serviced / requested and their statistics.
  • See user wise request distribution on your servers

We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.

The key parts to get here are:

  1. Install the KHIKA App for IIS Webserver
  2. Get data from your IIS Webserver into KHIKA Aggregator

How to Install the KHIKA App for IIS WebServer?

The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read how to configure KHIKA Data Aggregator and perform the pre-requisite steps.

This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured.

Go to “Applications” tab in the “Configure” menu.

Node.jpg

Check whether the appropriate Workspace is selected. Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces. Also select your KHIKA aggregator name in the Node dropdown. This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.

Install app.jpg

Click on the “+” button next to the IIS WebServer App. A pop up appears.

Install app1.jpg

Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. Similarly you can select contents from Alerts and Dashboards.

What are KHIKA Reports

What are KHIKA Dashboards

What are KHIKA Alerts

Click “Install” to proceed with the installation of the selected Application. If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up.

App alredy.JPG

Click on OK to proceed. If this is not the case, ignore this step. After successful installation, following status should be displayed.

Install status.jpg

Click on Close button. This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.

How to get your IIS WebServer data into KHIKA ?

KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. There are 2 components in OSSEC Integration with KHIKA.

  1. OSSEC Agent – Installed on each server which we wish to monitor
  2. OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)

The OSSEC agent and server communicate with each other using a unique key for encryption. The main steps to start getting data from a IIS Webserver are :

  1. Add the webserver details in KHIKA
  2. Extract a unique key for this device from KHIKA
  3. Installing Ossec Agent on Webserver
  4. Insert this key in the Ossec agent (ie. on your Webserver to be monitored)
  5. Reload Configuration in KHIKA
  6. Verify data collection in KHIKA

Each of these steps is explained in detail in the further sections.

Adding the device in the KHIKA

Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon.

Iis manage device 1.jpg

Pop up appears for device details

Win7.jpg

Click on “Add / Modify Device” tab. Another pop up appears for device details.

List device 11.jpg

Enter the expected device name. Also, in the field for IP address, enter “any”. Please note : Always enter the IP Address as “any”. This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”

Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. Click on Submit. We get a success message and device is added successfully to this adaptor.

Iis adding device.jpg

Finally, go to Workspace tab and click on “Apply Configuration” icon.

Iis 10 1.jpg

We get a confirmation message here too, saying, “Changes Applied”

Extract key from KHIKA OSSEC Server

Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .

Iis manage device 1.jpg

A pop up with device details of the adaptor appears. Select “List of Devices” tab.

Iis 12.jpg

Click on the “Get OSSEC Key” icon next to this device.

Get ossec key 1.jpg

Iis extract key.jpg

This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.

Installing OSSEC Agent for IIS WebServer

Download Windows Ossec Agent from here.
For IIS Webserver you will need to select the Windows installer with filename ossec-win32-agent.zip. This works for both 32-bit and 64-bit windows servers OS versions.

Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin. Select the installer file and Press "Run"

Win15.jpg

Click Next

Win16.jpg

Select "I Agree" and proceed

Win17.jpg

Keep the default selection in the next window and click Next

Win18.jpg

Enter the location to install the OSSEC agent on the local drive and let the installation complete

Win19.jpg

After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)

Win20.jpg

NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.

Insert unique OSSEC key in Windows OSSEC Agent

Perform following simple steps on the Agent on your Webserver : In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.

Win21.jpg

In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.

Win22.jpg

Wait for a few minutes. Repeat above steps for all the agents to be added.

Reload Configuration

Login into the KHIKA portal.

  • Go to Configure
  • Select workspace, here IIS_WebServer (or whatever you have named your workspace)
  • Go to Node Tab
  • Click Reload Config

Reload conf.jpg

This step restarts OSSEC Server. Wait for a few minutes for server to restart.

Verifying OSSEC data collection

Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here.

Win24.jpg

To see the data for our newly added device, enter search string in lower case – tl_src_host : name_of_the_device_added_in_lower_case and click on the search icon.

How to check the output of KHIKA IIS WebServer App ?

IIS Webserver Http Error Status Dashboard

This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code.

Elements in the Dashboard are explained below :

IIS Webserver Http Error Status Dashboard
Visualization Description
Server IP wise Status X axis : Server IPs
Y axis : Server IP status codes like 200,400,404, etc.
Client IP wise Status X axis : Client IPs
Y axis : Client IP status code like 200,400,404,504, etc.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.
  2. Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.

IIS Webserver Top N URL Dashboard

This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server.

Elements in the Dashboard are explained below :

IIS Webserver Top N URL Dashboard
Visualization Description
Contribution of URL This pie chart shows different URLs accessed by server.
Server Name wise Hits X axis : Names of Server
Y axis : Count of such request hits for each server.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Contribution of Domain This pie chart shows different types of domain.
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse.
  2. In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.

IIS Webserver Total Requests Per User Dashboard

This dashboard shows detailed information of users and requested URLs which are accessed by users.

Elements in the Dashboard are explained below :

IIS Webserver Total Request Per User Dashboard
Visualization Description
Contribution of Server Name This pie chart shows contribution of servers.
User wise Request X axis : one or more user
Y axis : Count of request hits for that user.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.
  2. In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.

IIS Webserver Traffic Categorization Dashboard

This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URLs and Servers.

Elements in the Dashboard are explained below :

IIS Webserver Traffic Categorization Dashboard
Visualization Description
Server IP wise Category X axis : Server IPs
Y axis : count of Category.
Client IP wise Referrer X axis : Client IPs
Y axis : count of Referrer.
Contribution of URL This pie chart shows contribution of different types of URL
Contribution of Category This pie chart shows contribution of different types of Category.
Contribution of Referrer This pie chart shows contribution of different types of Referrer.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. On the bar graph "Server IP wise Category" select any one server IP. This isolates respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.
  2. Inversely, in the bar graph "Client IP wise Referrer", click on any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.

IIS Webserver Top N Referrers Dashboard

This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.

Elements in the Dashboard are explained below :

IIS Webserver Top N Referrers Dashboard
Visualization Description
Contribution of Domain This pie chart shows contribution of different types of Domain.
Server Name wise Hits X axis : Server Names
Y axis :Server name wise hits.
Contribution of Referrer This pie chart shows contribution of different types of Referrers.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only.
  2. Inversely, in the "Contribution of Domain" pie, click on any one domain to select and rest of the elements on the dashboard then show data for that domain only.

IIS Webserver Referrer Detail Dashboard

This dashboard shows referrer details. Also it shows top URLs, Referrer, client IP, which are requested for any URL and server IP.

Elements in the Dashboard are explained below :

IIS Webserver Referrer Detail Dashboard
Visualization Description
Contribution of Referrer This pie chart shows contribution of different Referrers.
Contribution of URL This pie chart shows contribution of different URLs .
Server IP wise Hits X axis : Server IP
Y axis : Count of request hits for that Server IP.
Client IP wise Hits X axis : Client IP
Y axis : Count of request hits for that Client IP.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.
  2. Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also show referrer and accessed URLs for that client IP reflected across the dashboard.

IIS webserver loading delays Dashboard

This dashboard has information for total time taken, average time taken for accessed URI ,server IP.

Elements in the Dashboard are explained below :

IIS webserver loading delays Dashboard
Visualization Description
URL wise Total Time X axis : URL's
Y axis : Total time required and count of most expensive request for particular URL.
Server IP Hits X axis : Server IP
Y axis : Count of request hits for that Server IP.
Contribution of Server IP This pie chart shows contribution of different types of server IP.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. In the bar graph "URL wise Total Time" click and select any one URL. The rest of the dashboard shall show total time required for that selected URL, count of most expensive request for that URL and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.
  2. Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.

IIS Webserver Avg Qtime Dashboard

This Dashboard shows the average time taken by accessed URL and it's query.

Elements in the Dashboard are explained below :

IIS Webserver Avg Qtime Dashboard
Visualization Description
URL wise Hits X axis :Name of URL's
Y axis : Count of request hits for that URL.
Server IP Hits X axis : ServerIP
Y axis : Count of request hits for that Server IP.
Contribution of Query This pie chart shows contribution of different types of Query.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. In the pie chart "Contribution of Query" select any top Query. This shall isolate the count of hits for selected query and also server IP for that selected query across the dashboard.
  2. In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.

KHIKA Alerts for IIS WebServer

Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here Click on “Alert Dashboard” on left menu. Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :

Alerts Description

Alert Details Table
Alert Name Description Suggested Resolution
IIS communication with possible IOC or bad IP This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver. KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.

If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses. Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com. If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication. It is critical to block this rogue communication.

IIS dangerous content posted to webserver,files with executable extensions This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute. Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.

Kindly check upload activity done by the user and verify the uploaded content for policy violation.

IIS multiple errors for same URL when it is not accessible This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute. Getting multiple errors for the same url.

This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url. Kindly check the legitimacy of the requesting users.