EXT_SOC_DOC_Supported Devices and Connection Methods

caspe EXT_SOC_DOC_Supported devices and connection methods Version 1.2

9/16/2013 SecurView

HIGHLY CONFIDENTIAL

EXT_SOC_DOC_Supported devices and connection methods

Version 1.2

2 | P a g e SecurView Confidential Private Use Only

Table of Contents 1. Introduction ............................................................................................................................................... 3

1.1 Purpose ................................................................................................................................................... 3

1.2 Scope ....................................................................................................................................................... 3

1.3 Reference Document .............................................................................................................................. 3

2. Supported vendor devices in SIEM ............................................................................................................ 4

3. Connection methods in SIEM ..................................................................................................................... 9

3.1 Overview of the connection methods .................................................................................................... 9

4. Document Change Control ...................................................................................................................... 14


Version 1.2


1. Introduction

1.1 Purpose The purpose of this document is to provide the list of supported vendor devices and connection methods

by SIEM application.

1.2 Scope The scope of the document is applicable to SIEM application.

1.3 Reference Document


Version 1.2


2. Supported vendor devices in SIEM

SIEM application used Collectors and Connectors (scripts) to on-board the device.

Following table enlist the vendor devices for which Collectors available from SIEM vendor. In short these

are the devices supported in SIEM application. List also highlights the connection method (Connectors)

used for these devices.

Table 1

Vendor Core Product Build Date Version Connectors

AirPatrol Wireless Locator System Apr 2010 6.1r1 SYSLOG

Apache HTTP Server Sep 2011 2011.1r1 FILE,SYSLOG

Attachmate Luminet Jun 2012 2011.1r1 SYSLOG

Barracuda Web Application Firewall Apr 2010 6.1r1 SYSLOG

Blue Coat ProxySG Appliances Jul 2013 2011.1r1 SYSLOG,FILE

CA SiteMinder Jul 2011 6.1r1 DATABASE

Check Point Security Gateways May 2013 2011.1r1 LEA

Cisco Aironet Jul 2011 6.1r1 SYSLOG

Cisco Firewall Jan 2013 2011.1r1 SYSLOG

Cisco Intrusion Prevention Jun 2012 6.1r4 SDEE

Cisco IronPort Jul 2011 6.1r1 SYSLOG,FILE

Cisco Network Admission Control Jul 2011 6.1r1 DATABASE,SYSLOG

Cisco Secure Access Control Server Jul 2013 2011.1r1 SYSLOG

Cisco Security Agent Jun 2010 6.1r2 DATABASE

Cisco Switch and Router Nov 2009 6.1r2 SYSLOG

Cisco VPN 3000 Sep 2009 6.1r1 SYSLOG


Version 1.2



Cisco Wireless LAN Controller Jul 2011 6.1r1 SYSLOG

Enterasys Dragon Sep 2009 6.1r1 SYSLOG

Extreme

Networks Summit Series Jan 2010 6.1r1 SYSLOG

F5 BIG-IP Jul 2010 6.1r1 SYSLOG

F5 Firepass Jul 2010 6.1r1 SYSLOG

Fortinet FortiGate Feb 2013 2011.1r1 SYSLOG

Generic Asset Sep 2009 6.1r2 FILE

NetIQ Universal Event Feb 2013 2011.1r1

FILE,SYSLOG,SNMP,

WMS,DATABASE,

PROCESS,LEA,SDEE,

AUDIT,TEST_DATA_GEN

Generic Hostname Resolution Service May 2011 6.1r2 NA

Generic IP Geolocation Service Mar 2011 6.1r1 FILE

Generic Identity Sep 2009 6.1r1 FILE

HP HP-UX Jan 2013 2011.1r1 SYSLOG

IBM AIX Jul 2012 6.1r3 SYSLOG

IBM DB2 Jun 2011 6.1r3 DATABASE,FILE

IBM Lotus Domino Jun 2010 6.1r1 SNMP,SYSLOG,WMS

IBM Proventia Network Enterprise

Scanner Jul 2009 6.1r1 DATABASE

IBM Tivoli Access Manager for

Operating Systems Apr 2010 6.1r1 FILE

IBM WebSphere Application Server Feb 2010 6.1r1 FILE

IBM iSeries Feb 2013 2011.1r3 SYSLOG,FILE

IBM zOS Nov 2009 6.1r1 SYSLOG


Version 1.2



Insecure.org Nmap Apr 2010 6.1r1 FILE

Juniper IDP Series Feb 2010 6.1r1 SYSLOG

Juniper Netscreen Series Nov 2012 2011.1r1 SYSLOG

Juniper Routers and Gateways Dec 2010 6.1r2 SYSLOG

Juniper SA Series Dec 2010 6.1r1 SYSLOG

McAfee Firewall Enterprise Jul 2013 2011.1r1 SYSLOG

McAfee Host Intrusion Prevention Oct 2010 6.1r2 DATABASE

McAfee Network Security Platform Oct 2010 6.1r2 DATABASE

McAfee VirusScan Enterprise Jul 2013 2011.1r1 FILE,WMS

McAfee Vulnerability Manager Dec 2009 6.1r2 DATABASE

McAfee ePolicy Orchestrator Oct 2010 6.1r5 DATABASE

Microsoft Active Directory Identities Sep 2011 2011.1r1 FILE

Microsoft Active Directory and Windows Feb 2013 2011.1r3 WMS,SYSLOG

Microsoft DHCP Sep 2011 2011.1r1 FILE

Microsoft Exchange Server Jul 2013 2011.1r2 WMS,FILE

Microsoft Forefront Protection 2010 for

Exchange Jul 2011 6.1r1 WMS

Microsoft Forefront Server Security

Management Jul 2011 6.1r1 DATABASE

Microsoft Forefront Threat Management

Gateway Jul 2011 6.1r1 DATABASE,FILE

Microsoft IIS May 2013 2011.1r1 SYSLOG,FILE

Microsoft ISA Server Dec 2009 6.1r1 FILE

Microsoft SQL Server Dec 2009 6.1r2 SYSLOG,DATABASE


Version 1.2



Microsoft System Center Operations

Manager Jan 2010 6.1r1 DATABASE

NetIQ Agent Manager Jun 2013 2011.1r3 SYSLOG

NetIQ Change Guardian (Legacy) Sep 2011 2011.1r1 SYSLOG

NetIQ UNIX Agent Jul 2013 2011.1r3 SYSLOG

Nortel VPN Sep 2009 6.1r1 SYSLOG

Novell Access Governance Suite Apr 2010 6.1r1 DATABASE

Novell Access Manager SSL VPN Mar 2010 6.1r1 AUDIT

NetIQ Access Manager Oct 2012 2011.1r1 FILE,AUDIT

NetIQ Cloud Manager Jun 2012 2011.1r1 FILE,SYSLOG

Novell Cloud Security Service May 2011 6.1r1 SYSLOG

Novell Identity Manager Apr 2011 6.1r7 AUDIT,SYSLOG

Novell Identity Vault Sep 2009 6.1r2 Not Applicable

Novell Modular Authentication Services Nov 2009 6.1r3 AUDIT,FILE

Novell NetWare Jan 2010 6.1r4 AUDIT,FILE

Novell Open Enterprise Server Mar 2011 6.1r6 SYSLOG

Novell PlateSpin Orchestrate Oct 2010 6.1r1 SYSLOG

Novell Privileged User Manager Sep 2009 6.1r1 SYSLOG

SUSE Linux Enterprise Server Jul 2013 2011.1r1 SYSLOG

Novell SecretStore Jan 2010 6.1r1 AUDIT,FILE

Novell SecureLogin Dec 2009 6.1r2 WMS,SYSLOG

Novell Sentinel Link Sep 2011 2011.1r1 SENTINEL_LINK

Novell eDirectory Jan 2013 2011.1r1 AUDIT,SYSLOG

Novell iManager Apr 2011 6.1r4 AUDIT


Version 1.2



OpenLDAP slapd Feb 2010 6.1r1 SYSLOG

Oracle BEA WebLogic Server Nov 2009 6.1r1 FILE

Oracle Database Mar 2011 6.1r2 DATABASE

Oracle Solaris May 2013 2011.1r1 SYSLOG

Qualys QualysGuard Jul 2009 6.1r1 FILE

RSA ACE Server Jan 2010 6.1r1 FILE

Rapid7 NeXpose Feb 2010 6.1r2 DATABASE

Red Hat Enterprise Linux May 2013 2011.1r1 SYSLOG

SAP CCMS Jun 2012 6.1r3 SAP

SonicWALL Firewall Jan 2013 2011.1r1 SYSLOG

Sourcefire Snort Feb 2013 2011.1r1 FILE,SYSLOG,DATABASE

Oracle Directory Server Enterprise

Edition Nov 2012 2011.1r1 FILE

Sun MySQL Nov 2009 6.1r1 DATABASE

Symantec Critical System Protection Apr 2010 6.1r1 DATABASE

Symantec Endpoint Protection Apr 2013 2011.1r2 SYSLOG,FILE,DATABASE

Tenable Nessus Nov 2009 6.1r2 FILE

TippingPoint Security Management System Apr 2010 6.1r3 SYSLOG

Trend Micro OfficeScan Aug 2013 2011.1r1 FILE,WMS

Websense Web Security Nov 2012 2011.1r1 SNMP,DATABASE

eEye REM Oct 2011 6.1r3 DATABASE

eEye Retina Jul 2009 6.1r1 DATABASE

nCircle IP360 Jul 2009 6.1r1 FILE


Version 1.2


3. Connection methods in SIEM In SIEM application, supports different connection methods as mentioned in table (Table 1).

Table 2

Name Short Name Build Date Version

Agent Manager Agent_Manager Jun 2013 2011.1r1

Check Point (LEA) LEA Aug 2011 2011.1r1

Cisco SDEE SDEE Sep 2009 6r3

Database (JDBC) DATABASE Dec 2012 2011.1r2

File FILE Oct 2011 2011.1r1

IBM Mainframe MAINFRAME Sep 2008 6r1

NetIQ Audit AUDIT Sep 2013 2011.1r2

Process PROCESS Aug 2009 6r3

SAP XAL SAP Sep 2009 6r2

SNMP SNMP Dec 2011 2011.1r1

Sentinel Link SENTINEL_LINK Feb 2013 2011.1r3

Syslog SYSLOG Feb 2013 2011.1r2

Test Data Generator TEST_DATA_GEN Aug 2009 6r1

Windows Event (WMI) WMS Mar 2013 2011.1r2

3.1 Overview of the connection methods

3.1.1 Agent Manager The Agent Manager Connector routes events sent by the Agent Manager Central Computer to the appropriate Collector for parsing and normalization. The Agent Manager Central Computer communicates directly with the Agent Manager Agents that collect data from monitored servers. The Agent Manager Connector does the following:

Listens on the HTTP or HTTPS ports for JSON messages by using an embedded Jetty server.

Auto-instantiates event sources, event source groups (Connectors), and Collectors, if required.

Routes events from Agent Manager agents to the appropriate Event Sources and Collectors.


Version 1.2


3.1.2 Check Point (LEA) The Check Point (LEA) Connector does the following:

Connects to Check Point Firewall Server or Firewall Management Server to read from both Firewall logs and Audit logs.

Supports the following communication protocols: o Cleartext (no encryption) o SSL with certificates (Check Point Firewall NG and above only) o SSL with keys (Check Point Firewall NG and above only) o SSL with no keys/certificates (firewall 4.1 only)

Supports configurable data field resolution.

Supports setting and maintaining an offset, or point at which to start reading data.

Supports resolving hostname/IP, Service, Protocol, and other fields.

The values in the LEA message are in a Name Value Pair format. The format of the data in the LEA message is in a binary format. The raw data is manipulated so that it is more easily human readable, but the individual values in the NVP are saved exactly as they are found in the original format.

3.1.3 Cisco SDEE

The SDEE Connector does the following:

Makes connections to SDEE devices through HTTPS or HTTP connections.

Filters to fetch specific events.

Sets offset (a starting point for reading data)

Raw Data Format: The values in the SDEE message in a Name Value Pair format. The format of the data in the SDEE message is in an xml format. The raw data is manipulated so that it is more easily human readable and can be stored in a single line in the raw data file, but the individual values in the NVP are saved exactly as they are found in the original format.

3.1.4 Database (JDBC)

The Database Connector does the following:

Connects to the major database platforms through a JDBC connection.

Runs an SQL query directly on the source databases or executes a stored procedure.

Returns the query results to the Collector in either NVP (name value pair) or data map format.

Supports an offset to specify the starting point for data collection in the database.

Verifies if a valid JDBC driver is available to connect to the database.

Supports uploading JDBC driver file.

Supports testing the connection with the database to validate the configuration settings and availability of the network connection.

Starts and stops the connection with the databases.

Automatically reconnects to database server if the Connector loses its connection to the database server for any reason (such as database server shutdown).

Supports the Secure Socket Layer (SSL) protocol to retrieve data from the database.


Version 1.2


Ensures reliability: o Uses JDBC protocol with TCP, which is a connection oriented protocol. This

ensures guaranteed reliability on the data transferred over the network. o Maintains an offset containing the last record processed successfully. If there

is a system crash, or a server restart, the data collection is resumed from where it was left off without any duplicates.

o Automatically reconnects to the event sources if the connection is lost

3.1.5 File The File Connector does the following:

Reads local or remote files accessible to the user running the Sentinel service from the Collector Manager.

Reads records from any file-type Event Source and passes each record to a Collector script for processing.

3.1.6 IBM Mainframe The Mainframe Connector intercepts write-to-operator (WTO) console messages from the mainframe, translates them into standard syslog format and sends them to Novell Sentinel

3.1.7 NetIQ Audit

The Audit Connector does the following:

Server Component: o Listens on a configurable TCP port for connections from Platform Agents o Receives and processes messages (events) from the Platform Agents o Filters messages based on application o Buffers messages to increase the reliability of message delivery. For more

information. o Communicates with the Platform Agents using SSL

Client Component: o Forwards the event message from the Audit Connector to the appropriate

Collector. o Automatically creates Event Sources based on a user-configured auto

configuration policy.

3.1.8 Process Process Connector supports the following functionality:

Starts and stops processes that connect to devices, for example, a custom-coded executable to pull event data from a proprietary event source.

Captures Standard Output and Standard Error from processes.

Restart the process if the process exits unexpectedly.

Supports filtering feature to fetch specific events from the Standard Output and Standard Error of the process.


Version 1.2


Accept Collector TX message and feeds it to the Standard Input of the process.

Raw Data: The complete "line" of text ready from stdout/err. The raw data is not manipulated.

3.1.9 SAP XAL

This Connector is designed to provide data collection services using standard SAP protocols.

Makes connections to SAP CCMS services through SAP BAPI protocols, using the sapjco3 libraries.

Polls for alert data from a configured SAP CCMS Monitoring Tree node.

Formats alerts as JSON records, and forwards them to the SAP CCMS Collector.

Acknowledges received alerts.

3.1.10 SNMP This SNMP Connector does the following:

Starts and stops connector that subscribes to an SNMP server listening on a UDP port.

Supports filtering to fetch specific events from the SNMP traps by applying the regex patterns on the input data at the Connector level.

Can spawn multiple Trap receiver servers and multiplex the trap data into one collector.

Supports multiple subscriptions from a single collector to one SNMP server.

Supports SNMP v1, SNMP v2, and SNMP v3 trap messages.

Supports SNMP traps other than public community.

Supports character encoding. This is needed for receiving SNMP trap messages containing double-byte characters in languages such as Chinese, Japanese, and so forth.

Raw Data Format: The values in the SNMP trap are in a Name Value Pair format. The format of the data in the SNMP trap is in a binary format. The raw data is manipulated so that it is human readable, but the individual values in the NVP are saved exactly as they are found in the original format.

3.1.11 Sentinel Link

The Sentinel Link Connector does the following:

Sentinel Link Server Component: o Listens on HTTP or HTTPS ports for JSON messages (using an embedded

Tomcat server).Content type for messages must be application/json or application/json-compressed. The application/json-compressed content type indicates that the message is compressed by using ZLIB compression. Compressed data must be in the ZLIB format. In addition, there must be an Uncompressed-Length header that contains the uncompressed length of the original data. The uncompressed JSON string must be a UTF-8 string.

o Auto-instantiates event sources, event source groups (Connectors), and Collectors if required.


Version 1.2


o No parsing of the JSON is done. Un-tweaked messages are forwarded to event sources and event source groups.

Sentinel Link Event Source Component: Forwards the event message (including both structure and content) from the Sentinel Link server to the Collector without modifications

3.1.12 Syslog

The Syslog Connector does the following:

Syslog Server Component: o Listens on TCP, UDP, or SSL (over TCP) ports for Syslog messages. o Parses incoming message looking for Syslog standard message components

(Priority, Date, host name, and Message). o Inserts supplementary data using the RFC 3164 "BSD Syslog Protocol", if the

message is missing Priority, Date, or host name. o Determines Facility and Severity from the Priority. o Filters messages sent to Syslog clients based on Facility and Severity. o Buffers Syslog messages in the memory and the file system to increase the

reliability of message delivery. o Provides a secure channel with end devices (SSL over TCP) to collect data.

Supports certificate based mutual authentication. o Supports TCP to reliably collect data from end devices. o Stores messages in a file base d persistent store. This helps Syslog Connector

in handling high incoming event spikes, preventing event drop, reducing memory usage by off-loading events to File System, and retaining data in the event of a system crash.

Syslog Client Component: o Forwards the event message (including both structure and content) from the

Syslog server to the Collector without modifications. o Filters messages submitted to the Collector for parsing based on Syslog

Severity, Facility, or message content. o Automatically creates Event Sources based on a user-configured auto-

configuration policy.

3.1.13 Test Data Generator The Data Generator Connector does the following:

Generates random test data at a specified rate per second that can be parsed by the Generic Event Collector.

Raw Data Format: The generated message

3.1.14 Windows Event (WMI) This Sentinel plug-in supports the following functionalities:

Supports remote (agent-less) collection of Windows Event Logs.

Supports collecting historical and real-time events from Windows Event Logs.


Version 1.2


Supports collecting events from domain and non-domain environments.

Supports fetching specific events (filtering) from the event logs.

Collects data from different types of event logs such as Application, Security, and System.

Supports event source synchronization with the Active Directory.

Provides a secure channel (WMI) from WECS to event sources to collect data.

Provides a secure channel (SSL over TCP) from WECS to Connector.

Compresses (gZip) events sent from WECS to Connector.

Ensures reliable event collection by using WMI.

WECS reconnects to the event sources and Connectors in case the connection is lost.

4. Document Change Control

Issue Number Issue Date Changed By Details

1.0 January 23, 2013 Mahesh Patharkar Version 1.0

1.1 May 03, 2013 Mahesh Patharkar Version 1.1

1.2 September 16, 2013 Mahesh Patharkar Version 1.2

-End of Document-

Documents

EXT_SOC_DOC_Supported Devices and Connection Methods