Skip to main content

Verification Checklist


  1. DIP Firewall: Scanning_Hosts Alias Check:

    • From the DIP Firewall, the Aliases section (Firewall -> Aliases) Scanning_Hosts IP alias contains the following entry:
      • IP/Network or FQDN: 10.<X>.<Y+1>.20
      • Description: Metasponse Server
  2. Windows Server 2019 VM: Network Config Check

    • The IPv4 Address is set to 10.<X>.<Y+1>.20
    • The DNS Server is set to the DIP Firewall P2P interface (10.<X>.<Y+3>.2)
  3. Windows Server 2019 VM: Time Config Check

    • The time zone is set to UTC:
    tzutil /g
    • The DIP Firewall P2P interface (10.<X>.<Y+3>.2) is configured as an NTP Peer:
    net start w32time
    w32tm /query /peer
  4. Windows Server 2019 VM: Metasponse Service Check

    • The MetasponseSvc service is running:
    sc query MetasponseSvc
    • The Metasponse service is running with SYSTEM permissions with a SERVICE_START_NAME of LocalSystem:
    sc qc MetasponseSvc
  5. Windows Server 2019 VM: Server Ports Check

    • Metasponse is LISTENING on 0.0.0.0:80:
    netstat -ano | findstr 0.0.0.0:80
    • MongoDB is LISTENING on 0.0.0.0:27017:
    netstat -ano | findstr 0.0.0.0:27017
  6. Windows Server 2019 VM: Firewall Group Policy Check

    1. Open Group Policy Editor by searching gpedit from the Start Menu
    2. Navigate to:
        Computer Configuration
    β””> Windows Settings
    β””> Security Settings
    β””> Windows Firewall with Advanced Security
    β””> Windows Firewall with Advanced Security - Local Group Policy Object
    1. For each firewall profile (Domain, Private, Public) verify the following settings:
    • Firewall state: Not configured
    • Inbound connections: Not configured
    • Outbound connections: Not configured
  7. Windows Server 2019 VM: Firewall Rule Check

    • The host firewall rules allowing inbound connections to Metasponse and MongoDB exist:
    netsh advfirewall firewall show rule name="Metasponse web UI"
    netsh advfirewall firewall show rule name="MongoDB"
    • The host firewall State is ON and Firewall Policy is set to BlockInbound,AllowOutbound
    netsh advfirewall show currentprofile
  8. Windows Server 2019 VM: Custom Plugins Check

    • Plugin files are present in C:\Program Files\Metasponse\Core\contrib
  9. Windows Server 2019 VM: Metasponse Elastic Bug Fix Check

    • The Metasponse Elastic python script C:\Program Files\Metasponse\Core\metasponse\data\elastic.py has been fixed:
      • No occurances of yyyy-MM-ddTHH:mm:ss (should be corrected to yyyy-MM-dd\'T\'HH:mm:ss)
      • No occurances of self._major_version == 7 (should be corrected to if mapping and self._major_version > 6)
      • No occurances of self._major_version == 8 (should be corrected to if mapping and self._major_version > 7)
  10. Kibana: Elasticsearch User Check

    • From Kibana (Stack Management -> Security -> Users), the metasponse user exists with the superuser role
  11. Metasponse Web UI: Settings Check

    • From the Metasponse Web UI (Settings), the following settings are set:

    • β›­ Analysis Option Defaults

      SettingValue
      Elasticsearch: Server URL
      elastic.url
      https://elasticsearch.<KIT_DOMAIN>:9200
      Elasticsearch: Pipeline name
      elastic.pipeline
      metasponse
      Elasticsearch: Export Data Model
      elastic.model
      ecs
      Elasticsearch: Version
      elastic.version
      ElasticSearch 8
      Mockingbird: URL
      mockingbird.url
      http://mockingbird.<KIT_DOMAIN>:8090
      Mockingbird: Verify SSL Certificate
      mockingbird.ssl.verify
      UNCHECKED (False)
    • β›­ Authentication Option Defaults

      SettingValue
      Elasticsearch: Username
      elastic.auth.user
      metasponse
      Elasticsearch: Password
      elastic.auth.password
      <KIT_PASSWORD>
      Elasticsearch: Verify SSL Certificate
      elastic.ssl.verify
      UNCHECKED (False)
    • β›­ Deployment Option Defaults

      SettingValue
      Network Root
      job.netroot
      \%WinDir%\Temp\262
      Physical Root
      job.phyroot
      %WinDir%\Temp\262
      Unix Physical Root
      ssh.phyroot
      /tmp/262
      Windows Physical Root
      ssh.win32.phyroot
      C:\Windows\Temp\262

      NOTE: Changing the Network Root and Physical Root folders to a path with a known unique string will aid in whitelisting alerts that spawn from Metasponse activity