Follow

SIEM Integration & Formats

After installing the NormShield agent through NormShield Hotpoint, SYSLOG configuration settings can be adjusted under the SIEM tab.

1.PNG

Here, first of all, Enable SysLog checkbox should be selected. After specifying the server IP address and port, the supported syslog version and protocol can be selected for the target server; generic syslog server, HP ArchSight, Splunk etc.

Before going any further, a test log entry can be sent to the target server in order to understand the connection is smooth and working.

2.PNG

If everything is ok, then now it's a good time to select the severity threshold for the new vulnerabilities (Minimum Vulnerability Severity) or new alarms (Minimum Alarm Priority) to fetch from NormShield and send them to target SIEM server.

Here's a screenshot from Kiwi SysLog Server & NormShield interconnection:

Here's a screenshot from Splunk & NormShield interconnection: 

In addition to this, one can also adjust the time span (days granularity) of the oldest open vulnerabilities or active alarms to send to target SIEM server when running the feature for the first time. The default value is 7 days. This means only the unmitigated vulnerabilities/alarms inserted into the system within the last 7 days will be sent to the SIEM.

Important Note: SIEM integration is executed in 10 minute periods by default. This value will be changed from the interface in upcoming deployments, however, for now the change is possible by editing POLL_PERIOD_FOR_NSSYSLOG key's value in minutes in Common.Config under the agent installation directory.

SysLog Format

Here's the non-CEF format used for sending vulnerabilities;

VulnID="43312";Name="Blind SQL Injection";Asset="10.210.60.104";Severity="Critical";CreationDate="25.05.2015";Hostname="vwebinspect";TaxID="2001";Status="Open";Port="8080";Type="WebApp";OS="Windows Server 2012 R2";URL="http%3a%2f%2fwww.normshieldportal.com%2fvuln%2fid%2f37353";AssetNSRiskScore=12;AssetPriority=High;References="CVE|CVE-2014-3212,URL|https://www.vulndreference.com/27252"

AssetNSRiskScore is the NormShield calculated asset score taken all vulnerabilities into account of this asset. The range is 0-20

AssetPriority is the priority of the asset (one of Low, Medium, High, Critical) that is given by the user created the asset.

TaxID is the given taxonomy identification number for finding type (vulnerability) and category (ex: webapp)

And here's the non-CEF format used for sending alarms;

AlarmID="12372";Name="A test alarm name";Source="Credit Cards";TaxID="1007";Priority="High";Status="";CreationDate="26.04.2016";URL="http%3a%2f%2fwww.normshieldportal.com%2falarm%2fid%3f352";Entities="CreditCard:54353725263832";

Entities is a composite field with : as the seperator string seperating each alarm's entity type and value fields. In the above example, the entity type is CreditCard and value is the card number. Originally each alarm may contain more than one entity, however, when sending to SIEM they are multiplied into multiple alarms. So if an alarm contains 5 entities (let's say that an alarm contains leaked 5 credit card numbers as entities) before sending this alarm to SIEM, it is multiplied to 5 alarm instances each one containing only one entity.

TaxID is the given taxonomy identification number for finding type (alarm) and category (ex: credit card leakage

CEF Format

Last but not the least, CEF (Common Event Format) format can be enabled by selecting the Enable CEF checkbox next to Enable Syslog checkbox.

Here's a sample CEF formatted vulnerability;

0|NormShield|NSIntra|1.0.1|Blind SQL Injection|Vulnerability Scan|8|dst=10.210.60.104 dhost=vwebinspect act=Open dpt=8080 deviceCustomDate1=1432512000000 deviceCustomDate1Label=CreationDateInMilliSecondsSinceEpoch cn1=12 cn1Label=AssetNSRiskScore cs1=High cs1Label=AssetPriority cs3=2001 cs3Label=TaxonomyID request=http%3a%2f%2fwww.normshieldportal.com%2fvuln%2fid%2f37353 cs2=CVE|CVE-2012-122,URL|https://www.vulnreferences.com/1234823 cs2Label=References msg=WebApp-Windows Server 2012 R2

All of the extension fields are CEF compliant fields. The last part before the extension (...|Severity|[Extension]) shows the severity of the vulnerability sent to SIEM. According to the CEF standard here's the severity mapping; "Severity is a string or integer and reflects the importance of the event. The valid string values are; Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7-8=High, and 9-10=Very-High"

So corresponding NormShield vulnerability severities will be; 0 -> Info, 2 -> Low, 4 -> Medium, 6 -> High, 8 -> Critical and finally 10 -> Urgent

deviceCustomDate1Label is the creation date of the vulnerability represented as milliseconds since Epoch.

cn1 is the NormShield calculated asset score taken all vulnerabilities into account of this asset. The range is 0-20

cs1 is the priority of the asset (one of Low, Medium, High, Critical) that is given by the user created the asset.

cs2 is the reference list that is associated with the vulnerability in Type|Value format separated with comma.

request field contains fully URL encoded request URL of the NormShield portal that contains the related vulnerability details. Additionally msg is a composite field with - (dash) seperator character.

  1. The first token is the type of the vulnerability, which is one of; WebApp, NetSec, Design, OS, DB.
  2. The second token is the operating system that the vulnerability exists.

Here's a sample CEF formatted alarm;

0|NormShield|NSIntra|1.0.1|A test alarm name|Alarm|6|dst=Credit Cards act= start=1461628800000 end=1461628800000 cs3=1007 cs3Label=TaxonomyID request=http%3a%2f%2fwww.normshieldportal.com%2falarm%2fid%2f37353 msg=CreditCard:54353725263832

All of the extension fields are CEF compliant fields. The last part before the extension (...|Severity|[Extension]) shows the priority level of the alarm sent to SIEM. According to the CEF standard here's the severity mapping; "Severity is a string or integer and reflects the importance of the event. The valid string values are; Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7-8=High, and 9-10=Very-High"

So corresponding NormShield alarm priorities will be; 0 -> Info, 2 -> Low, 4 -> Medium, 6 -> High, 8 -> Critical and finally 10 -> Urgent

request field contains fully URL encoded request URL of the NormShield portal that contains the related alarm details. Additionally msg is a composite field with : as the seperator string seperating each alarm's entity type and value fields. In the above example, the entity type is CreditCard and value is the card number. Originally each alarm may contain more than one entity, however, when sending to SIEM they are multiplied into multiple alarms. So if an alarm contains 5 entities (let's say that an alarm contains leaked 5 credit card numbers as entities) before sending this alarm to SIEM, it is multiplied to 5 alarm instances each one containing only one entity.

After everything is good, don't forget to hit the SAVE button.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk