Introduction
Seceon aiSIEM, the only real-time threat detection and reporting platform is built on micro-services/container architecture. This allows versatility in terms of deployment choices, whether it is installed on a bare metal Hardware Server, on a Virtual Machine or on a public Cloud like Amazon AWS and Microsoft Azure. The performance of the OTM is neither influenced nor compromised based on the deployment option chosen, rather it is critical that the computing memory and disk performance that meets the Seceon OTM Hardware specification is available.
The application runs smoothly on Azure as long as the hardware requirements are met and the installation and configuration are done properly as described in subsequent sections of this document
Installation Pre-requisites
To get the OTM deployed on the Azure cloud, a customer needs:
Server setup package (Seceon-server-setup-5.0.0-tar.gz)
CCE package
All the above tar packages can be downloaded prior to the installation process using the dropbox links provided later in this article.
Microsoft Azure Cloud Platform
Microsoft Azure (formerly Windows Azure) is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data centres. It provides software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems.
Seceon aiSIEM, being a containerized platform is compatible with a variety of installation environments. It has been commercially deployed and is running successfully on physical servers, AWS instances and Virtual machines (VMs) on ESXi servers, KVMs etc. For Azure also, a VM has to be created and then used for the aiSIEM Installation
Installation Process For aiSIEM on an Azure VM
Step1: Login to your Microsoft Azure Dashboard:
Step 2: Create VM
Go to the list on the right side of the dashboard and select “Virtual Machines”
On the “Virtual Machines” screen, select “+Add” option
Fill in the details as asked in the “Create virtual machine” form, using the information:
PROJECT DETAILS
Your existing Microsoft Azure subscription
a. Resource group to be used for creating the VM, from your existing subscription. You can also create a new resource group.
INSTANCE DETAILS
Virtual machine name: Based on your choice.
Region: Your Azure region.
Availability Option: Optional
Image: Select “CentOS based 7.5”
Size: Choose 4vCPUs, 4 GB RAM. The disk will be 30GB by default, we will increase it to our requirement in Section
Step 3: Change Disk Size
ADMINISTRATOR ACCOUNT
Authentication Type
Username
SSH Public Key
Setup your SSH login account.
Keep the rest of the settings default and create the VM. Once created, pick up the assigned IP, and login to that with the Administrator account created through ssh.
Step 3: Change Disk Size
Login to the created VM as administrator (root).
Change the disk size using instructions as below:
Check the root partition using the command “df –h”
Filesystem Size Used Avail Use% Mounted on /dev/sda2 30G 1.2G 29G 5% / devtmpfs 14G 0 14G 0% /dev tmpfs 14G 0 14G 0% /dev/shm tmpfs 14G 9.0M 14G 1% /run tmpfs 14G 0 14G 0% /sys/fs/cgroup /dev/sda1 497M 81M 417M 17% /boot /dev/sdb1 197G 61M 187G 1% /mnt/resource tmpfs 2.8G 0 2.8G 0% /run/user/1000
Here root is mounted as /dev/sda2
Go to Azure Portal, go to VM -> Disk -> Select OSDisk -> Configuration and increase OS Disk Size to 200GB.
Start up the VM
Use FDISK to delete the older partition and recreate it. Subsequent commands to be used are listed below:
sudo fdisk /dev/sda · u Command (m for help): u Changing display/entry units to cylinders (DEPRECATED!). · p - (print) – take note of Start of /dev/sda2 (eg. 64 Command (m for help): p Disk /dev/sda: 214.7 GB, 214748364800 bytes, 419430400 sectors Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk label type: dos Disk identifier: 0x000ecbd2 Device Boot Start End Blocks Id System /dev/sda1 * 1 64 512000 83 Linux /dev/sda2 64 3917 30944256 83 Linux · d - (delete) – delete the required partition Command (m for help): d Partition number (1,2, default 2): 2 Partition 2 is deleted · n - (create new partition) – recreate the deleted partition . p - select primary partition Command (m for help): n Partition type: p primary (1 primary, 0 extended, 3 free) e extended Select (default p): p Partition number (2-4, default 2): 2 First cylinder (64-26108, default 64): Using default value 64 Last cylinder, +cylinders or +size{K,M,G} (64-26108, default 26108): Using default value 26108 Partition 2 of type Linux and of size 199.5 GiB is set Press w to, write the changes Command (m for help): w The partition table has been altered! [seceon@cce-test ~]$ sudo reboot (reboot the system) [seceon@cce-test ~]$ sudo xfs_growfs /dev/sda2 (resize the partition to cover the full disk) [seceon@cce-test ~]$ sudo xfs_growfs /dev/sda2 meta-data=/dev/sda2 isize=512 agcount=4, agsize=1934016 blks = sectsz=512 attr=2, projid32bit=1 = crc=1 finobt=0 spinodes=0 data = bsize=4096 blocks=7736064, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0 ftype=1 log =internal bsize=4096 blocks=3777, version=2 = sectsz=512 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 data blocks changed from 7736064 to 52299871
Verify size has increased by using df -h:
[seceon@cce-test ~]$ df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 200G 1.2G 199G 1% / devtmpfs 14G 0 14G 0% /dev tmpfs 14G 0 14G 0% /dev/shm tmpfs 14G 9.0M 14G 1% /run tmpfs 14G 0 14G 0% /sys/fs/cgroup /dev/sda1 497M 81M 417M 17% /boot /dev/sdb1 197G 61M 187G 1% /mnt/resource tmpfs 2.8G 0 2.8G 0% /run/user/1000
Step 4: Setup Seceon env
Login to the VM as administrator
Run the command “sudo -i”, to get into root mode.
Download the server setup package using the command given below:
wget –c https://www.dropbox.com/s/m46ciwi1om3v5du/seceon-server-setup-5.0.0.tar.gz
Untar the server setup package using the command:
tar –xvzf seceon-server-setup-5.0.0.tar.gz
Get inside the folder, and run the setup script:
cd seceon-server-setup-5.0.0 ./seceon-setup.sh
Wait for the setup to get installed.
Then, reboot the VM using “reboot” command.
Step 5: Install CCE:
Login to the VM as seceon/seceon.
Download the CCE package using the command given below:
wget –c https://www.dropbox.com/s/7vxts85zvxksv0n/seceon-cce-5.2.1-193.tar.gz
Match the md5sum of the package using the command given below:
md5sum seceon-cce-5.2.1-193.tar.gz | grep eb90dd8dfa8c013e70f6d6b84e311990
You should see the output:
eb90dd8dfa8c013e70f6d6b84e311990 seceon-cce-5.2.1-193.tar.gz
If you don’t see this output, your download is not correct. Please download again.
Run the command:
ssh seceon@127.0.0.1
Download the “cce-global-config.yml” and “install.sh files”, as given below:
1.cce-gobal-config.yml:
wget -c https://www.dropbox.com/s/5cx8kxwuazv6m20/cce-global-config.yml
Install.sh
wget -c https://www.dropbox.com/s/zgk6rvmiicw1x1t/install.sh
Change the privilege of the install script using the command: chmod 775 install.sh
Run the commands:
screen ./install.sh –c
Answer the questions:
Do APE & CCE coexist?
In an Enterprise, CCE and APE may co-exist; but in MSSP Enterprise, they are unlikely to coexist.
If you press Yes, it will ask for confirmation else it will prompt you for The Tenant Id: In case of Enterprise you can just press enter else Type in the Tenant ID given by the MSSP.
APE IP address:
Do you want secure communication between CCE & APE using Ssh Tunnel?
This will be Yes only if APE is not on VPN and has a public IP and there is no VPN tunnel between APE &CCE.
SSH Tunnel Port: 22 (Default)