Links

Start Guide

Follow our best practice guide to configure Enginsight from scratch in no time.
The starting point is a freshly installed on-premises instance or a newly created SaaS account. After successfully installing the onPrem or account setup in SaaS, follow the steps below.

0 - ToDo`s after onPrem installation

1 - Install and set up first hosts

Install hosts quickly and easily using the provided scripts under the menu item Hosts.
It is possible to roll out the Pulsar agent via Windows Group Policy.
Best practice recommendation for first tags:
Assign the tag IDS and the tag IPS. Other tags could result from your company structure, such as department tags (HR, Controlling, etc.) or location tags.
  • Create first policies With policies you can centrally manage the configuration settings of the hosts on the basis of the assigned tags. In this way, you also ensure that new hosts only need to be given the appropriate tags in order to be provided with the correct configurations.
Best practice recommendation for the first two policies: It is best to create a separate policy for each feature, start with a policy on the "Server" tag and enable system event monitoring.
Create another policy on the tag "IDS" and enable network monitoring with IDS level 2.

2 - Set up penetration testing

  • Configure Hacktor After you have successfully installed the first Hacktor, the configuration is crucial for the duration of the scan and the quality of the results.
Best practice recommendation for two configuration options: Leave Hacktor on the default configuration for a quick initial scan and to show the top finds. For a deep scan, change the scan frequency to "Low" and extend the port range to: 1-65535. Attention, depending on the number of IP addresses to be scanned, this scan may take several days.
  • Define target systems Best practice recommendation for target systems.
Best practice recommendation for target systems
Enter the subnet mask of the network segment to be scanned as the target systems, e.g.: 192.168.70.0/24. Create a new target system for each network segment and name it according to its purpose, e.g.: management network, server network, client network, etc.
Keep in mind that Hacktor must be able to reach the IP addresses to be scanned. Therefore you have the possibility to install several Hacktors in different network segments.
  • Create audit templates Based on a template, you determine which target systems should be scanned by which hack gate.
Best practice recommendation for the initial submission:
Specify the target system to scan and the hacktor that should perform the scan. Otherwise, you can leave the default for now.
If necessary, exclude printers if you already know that they are obsolete or have not been configured, as otherwise unexpected behavior may occur.
  • Start penetration test Using the templates page, you can now start a pentest at any time based on the template. Additionally, it is worthwhile to run the tests automatically on a regular basis
Best Practice Recommendation:
You can also use the recurring execution via the templates to start a test once at night, for example. This is worthwhile, for example, in productive critical environments.

3 - Set up website scan

  • Configure Observer Set the observer region. The region should reflect the location of the Observe, e.g. if the Observer is on the internal network, the name could be "internal".
Best Practice Recommendation:
Enable all modules of the Observer.
  • Set up the first web page When entering the URL, pay attention to whether you want to scan the http or https URL. If in doubt, you should always specify the URL with https.
Best Practice Recommendation: Enter as URL something like: https://yourdomain.com. Select the appropriate region and leave the scan areas in the default.

4 - Inventory of the network segments

  • Configure Watchdog After you have installed Watchdog, you can use it to inventory network segments, monitor for new subscribers, or implement ping, port, or SNMP monitoring.
Best Practice Recommendation:
Add your network segments by entering the CIRD and assign meaningful names such as server network, management network, etc.
Activate the permanent monitoring to start the inventory.

5 - Set up alerts

Best practice recommendation for first alerts:
  • New vulnerabilities (CVSS score) as of level 7
  • Suspicious network traffic as of limit "HIGH"
  • Failed login attemt
  • New admin account created
  • Website not available
  • Endpoint rating got worse
  • Days until certificate expires

Advanced themes

Once you have become more familiar with Enginsight, we recommend that you turn your attention to the following topics.

Define additional policies

  • Enable Shield (IPS) for the hosts on which you want to block suspicious network activity. We recommend using an appropriate tag here as well. Then use the Autopilot in the Shield menu to create a dynamic rule. Here we recommend the blocking level 2.
  • Activate the extended software monitoring. This will inventory any software, even if it was not installed with a regular installer.
  • Automate updates. We recommend that you automate the installation of security-relevant updates in particular.
  • Enable plugins. The plugins system is very powerful and allows you to run self-defined plugins on a regular basis or in the course of defined alerts.

Extend Pentest Templates

  • Use your own password lists, for example, to test the network for outdated local user accounts.
  • With the help of the auth providers, you extend the blackbox scan to a greybox scan. This increases the quality of the vulnerability scan results in particular.
  • The supreme discipline is the creation of individual test scripts. This is especially useful if you want to test a specific application individually.

Specific observer settings

  • Your observers can act as "dedicated" observers. In this way, one observer can be used by multiple clients.
  • In addition, an observer can be explicitly configured to monitor internal targets, i.e. targets within its private network area.

More alerts

  • In the Windows environment, group policy changes and unauthorized object access should be monitored. These scenarios require additional configuration in the log behavior of the servers.
  • The Installed/Unistalled Software alert allows you to monitor any changes to a host's software status.
  • Use the "Blocked networdk attack" alert to be alerted directly about a successful block.
  • Use the two alert scenarios "New open port" for servers and websites.
  • Be alerted about changes in DNS entries at websites.
This guide is intended to give you a short and quick introduction to the Enginsight platform. You should now be able to basically find your way around and have a good overview of Enginsight's line capabilities.