-
caspe EXT_SOC_DOC_Supported devices and connection methods Version 1.2
9/16/2013 SecurView
HIGHLY CONFIDENTIAL
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
2 | P a g e SecurView Confidential Private Use Only
Table of Contents 1. Introduction ............................................................................................................................................... 3
1.1 Purpose ................................................................................................................................................... 3
1.2 Scope ....................................................................................................................................................... 3
1.3 Reference Document .............................................................................................................................. 3
2. Supported vendor devices in SIEM ............................................................................................................ 4
3. Connection methods in SIEM ..................................................................................................................... 9
3.1 Overview of the connection methods .................................................................................................... 9
4. Document Change Control ...................................................................................................................... 14
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
3 | P a g e SecurView Confidential Private Use Only
1. Introduction
1.1 Purpose The purpose of this document is to provide the list of supported vendor devices and connection methods
by SIEM application.
1.2 Scope The scope of the document is applicable to SIEM application.
1.3 Reference Document
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
4 | P a g e SecurView Confidential Private Use Only
2. Supported vendor devices in SIEM
SIEM application used Collectors and Connectors (scripts) to on-board the device.
Following table enlist the vendor devices for which Collectors available from SIEM vendor. In short these
are the devices supported in SIEM application. List also highlights the connection method (Connectors)
used for these devices.
Table 1
Vendor Core Product Build Date Version Connectors
AirPatrol Wireless Locator System Apr 2010 6.1r1 SYSLOG
Apache HTTP Server Sep 2011 2011.1r1 FILE,SYSLOG
Attachmate Luminet Jun 2012 2011.1r1 SYSLOG
Barracuda Web Application Firewall Apr 2010 6.1r1 SYSLOG
Blue Coat ProxySG Appliances Jul 2013 2011.1r1 SYSLOG,FILE
CA SiteMinder Jul 2011 6.1r1 DATABASE
Check Point Security Gateways May 2013 2011.1r1 LEA
Cisco Aironet Jul 2011 6.1r1 SYSLOG
Cisco Firewall Jan 2013 2011.1r1 SYSLOG
Cisco Intrusion Prevention Jun 2012 6.1r4 SDEE
Cisco IronPort Jul 2011 6.1r1 SYSLOG,FILE
Cisco Network Admission Control Jul 2011 6.1r1 DATABASE,SYSLOG
Cisco Secure Access Control Server Jul 2013 2011.1r1 SYSLOG
Cisco Security Agent Jun 2010 6.1r2 DATABASE
Cisco Switch and Router Nov 2009 6.1r2 SYSLOG
Cisco VPN 3000 Sep 2009 6.1r1 SYSLOG
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
5 | P a g e SecurView Confidential Private Use Only
Vendor Core Product Build Date Version Connectors
Cisco Wireless LAN Controller Jul 2011 6.1r1 SYSLOG
Enterasys Dragon Sep 2009 6.1r1 SYSLOG
Extreme
Networks Summit Series Jan 2010 6.1r1 SYSLOG
F5 BIG-IP Jul 2010 6.1r1 SYSLOG
F5 Firepass Jul 2010 6.1r1 SYSLOG
Fortinet FortiGate Feb 2013 2011.1r1 SYSLOG
Generic Asset Sep 2009 6.1r2 FILE
NetIQ Universal Event Feb 2013 2011.1r1
FILE,SYSLOG,SNMP,
WMS,DATABASE,
PROCESS,LEA,SDEE,
AUDIT,TEST_DATA_GEN
Generic Hostname Resolution Service May 2011 6.1r2 NA
Generic IP Geolocation Service Mar 2011 6.1r1 FILE
Generic Identity Sep 2009 6.1r1 FILE
HP HP-UX Jan 2013 2011.1r1 SYSLOG
IBM AIX Jul 2012 6.1r3 SYSLOG
IBM DB2 Jun 2011 6.1r3 DATABASE,FILE
IBM Lotus Domino Jun 2010 6.1r1 SNMP,SYSLOG,WMS
IBM Proventia Network Enterprise
Scanner Jul 2009 6.1r1 DATABASE
IBM Tivoli Access Manager for
Operating Systems Apr 2010 6.1r1 FILE
IBM WebSphere Application Server Feb 2010 6.1r1 FILE
IBM iSeries Feb 2013 2011.1r3 SYSLOG,FILE
IBM zOS Nov 2009 6.1r1 SYSLOG
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
6 | P a g e SecurView Confidential Private Use Only
Vendor Core Product Build Date Version Connectors
Insecure.org Nmap Apr 2010 6.1r1 FILE
Juniper IDP Series Feb 2010 6.1r1 SYSLOG
Juniper Netscreen Series Nov 2012 2011.1r1 SYSLOG
Juniper Routers and Gateways Dec 2010 6.1r2 SYSLOG
Juniper SA Series Dec 2010 6.1r1 SYSLOG
McAfee Firewall Enterprise Jul 2013 2011.1r1 SYSLOG
McAfee Host Intrusion Prevention Oct 2010 6.1r2 DATABASE
McAfee Network Security Platform Oct 2010 6.1r2 DATABASE
McAfee VirusScan Enterprise Jul 2013 2011.1r1 FILE,WMS
McAfee Vulnerability Manager Dec 2009 6.1r2 DATABASE
McAfee ePolicy Orchestrator Oct 2010 6.1r5 DATABASE
Microsoft Active Directory Identities Sep 2011 2011.1r1 FILE
Microsoft Active Directory and Windows Feb 2013 2011.1r3 WMS,SYSLOG
Microsoft DHCP Sep 2011 2011.1r1 FILE
Microsoft Exchange Server Jul 2013 2011.1r2 WMS,FILE
Microsoft Forefront Protection 2010 for
Exchange Jul 2011 6.1r1 WMS
Microsoft Forefront Server Security
Management Jul 2011 6.1r1 DATABASE
Microsoft Forefront Threat Management
Gateway Jul 2011 6.1r1 DATABASE,FILE
Microsoft IIS May 2013 2011.1r1 SYSLOG,FILE
Microsoft ISA Server Dec 2009 6.1r1 FILE
Microsoft SQL Server Dec 2009 6.1r2 SYSLOG,DATABASE
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
7 | P a g e SecurView Confidential Private Use Only
Vendor Core Product Build Date Version Connectors
Microsoft System Center Operations
Manager Jan 2010 6.1r1 DATABASE
NetIQ Agent Manager Jun 2013 2011.1r3 SYSLOG
NetIQ Change Guardian (Legacy) Sep 2011 2011.1r1 SYSLOG
NetIQ UNIX Agent Jul 2013 2011.1r3 SYSLOG
Nortel VPN Sep 2009 6.1r1 SYSLOG
Novell Access Governance Suite Apr 2010 6.1r1 DATABASE
Novell Access Manager SSL VPN Mar 2010 6.1r1 AUDIT
NetIQ Access Manager Oct 2012 2011.1r1 FILE,AUDIT
NetIQ Cloud Manager Jun 2012 2011.1r1 FILE,SYSLOG
Novell Cloud Security Service May 2011 6.1r1 SYSLOG
Novell Identity Manager Apr 2011 6.1r7 AUDIT,SYSLOG
Novell Identity Vault Sep 2009 6.1r2 Not Applicable
Novell Modular Authentication Services Nov 2009 6.1r3 AUDIT,FILE
Novell NetWare Jan 2010 6.1r4 AUDIT,FILE
Novell Open Enterprise Server Mar 2011 6.1r6 SYSLOG
Novell PlateSpin Orchestrate Oct 2010 6.1r1 SYSLOG
Novell Privileged User Manager Sep 2009 6.1r1 SYSLOG
SUSE Linux Enterprise Server Jul 2013 2011.1r1 SYSLOG
Novell SecretStore Jan 2010 6.1r1 AUDIT,FILE
Novell SecureLogin Dec 2009 6.1r2 WMS,SYSLOG
Novell Sentinel Link Sep 2011 2011.1r1 SENTINEL_LINK
Novell eDirectory Jan 2013 2011.1r1 AUDIT,SYSLOG
Novell iManager Apr 2011 6.1r4 AUDIT
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
8 | P a g e SecurView Confidential Private Use Only
Vendor Core Product Build Date Version Connectors
OpenLDAP slapd Feb 2010 6.1r1 SYSLOG
Oracle BEA WebLogic Server Nov 2009 6.1r1 FILE
Oracle Database Mar 2011 6.1r2 DATABASE
Oracle Solaris May 2013 2011.1r1 SYSLOG
Qualys QualysGuard Jul 2009 6.1r1 FILE
RSA ACE Server Jan 2010 6.1r1 FILE
Rapid7 NeXpose Feb 2010 6.1r2 DATABASE
Red Hat Enterprise Linux May 2013 2011.1r1 SYSLOG
SAP CCMS Jun 2012 6.1r3 SAP
SonicWALL Firewall Jan 2013 2011.1r1 SYSLOG
Sourcefire Snort Feb 2013 2011.1r1 FILE,SYSLOG,DATABASE
Oracle Directory Server Enterprise
Edition Nov 2012 2011.1r1 FILE
Sun MySQL Nov 2009 6.1r1 DATABASE
Symantec Critical System Protection Apr 2010 6.1r1 DATABASE
Symantec Endpoint Protection Apr 2013 2011.1r2 SYSLOG,FILE,DATABASE
Tenable Nessus Nov 2009 6.1r2 FILE
TippingPoint Security Management System Apr 2010 6.1r3 SYSLOG
Trend Micro OfficeScan Aug 2013 2011.1r1 FILE,WMS
Websense Web Security Nov 2012 2011.1r1 SNMP,DATABASE
eEye REM Oct 2011 6.1r3 DATABASE
eEye Retina Jul 2009 6.1r1 DATABASE
nCircle IP360 Jul 2009 6.1r1 FILE
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
9 | P a g e SecurView Confidential Private Use Only
3. Connection methods in SIEM In SIEM application, supports different connection methods as mentioned in table (Table 1).
Table 2
Name Short Name Build Date Version
Agent Manager Agent_Manager Jun 2013 2011.1r1
Check Point (LEA) LEA Aug 2011 2011.1r1
Cisco SDEE SDEE Sep 2009 6r3
Database (JDBC) DATABASE Dec 2012 2011.1r2
File FILE Oct 2011 2011.1r1
IBM Mainframe MAINFRAME Sep 2008 6r1
NetIQ Audit AUDIT Sep 2013 2011.1r2
Process PROCESS Aug 2009 6r3
SAP XAL SAP Sep 2009 6r2
SNMP SNMP Dec 2011 2011.1r1
Sentinel Link SENTINEL_LINK Feb 2013 2011.1r3
Syslog SYSLOG Feb 2013 2011.1r2
Test Data Generator TEST_DATA_GEN Aug 2009 6r1
Windows Event (WMI) WMS Mar 2013 2011.1r2
3.1 Overview of the connection methods
3.1.1 Agent Manager The Agent Manager Connector routes events sent by the Agent Manager Central Computer to the appropriate Collector for parsing and normalization. The Agent Manager Central Computer communicates directly with the Agent Manager Agents that collect data from monitored servers. The Agent Manager Connector does the following:
Listens on the HTTP or HTTPS ports for JSON messages by using an embedded Jetty server.
Auto-instantiates event sources, event source groups (Connectors), and Collectors, if required.
Routes events from Agent Manager agents to the appropriate Event Sources and Collectors.
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
10 | P a g e SecurView Confidential Private Use Only
3.1.2 Check Point (LEA) The Check Point (LEA) Connector does the following:
Connects to Check Point Firewall Server or Firewall Management Server to read from both Firewall logs and Audit logs.
Supports the following communication protocols: o Cleartext (no encryption) o SSL with certificates (Check Point Firewall NG and above only) o SSL with keys (Check Point Firewall NG and above only) o SSL with no keys/certificates (firewall 4.1 only)
Supports configurable data field resolution.
Supports setting and maintaining an offset, or point at which to start reading data.
Supports resolving hostname/IP, Service, Protocol, and other fields.
The values in the LEA message are in a Name Value Pair format. The format of the data in the LEA message is in a binary format. The raw data is manipulated so that it is more easily human readable, but the individual values in the NVP are saved exactly as they are found in the original format.
3.1.3 Cisco SDEE
The SDEE Connector does the following:
Makes connections to SDEE devices through HTTPS or HTTP connections.
Filters to fetch specific events.
Sets offset (a starting point for reading data)
Raw Data Format: The values in the SDEE message in a Name Value Pair format. The format of the data in the SDEE message is in an xml format. The raw data is manipulated so that it is more easily human readable and can be stored in a single line in the raw data file, but the individual values in the NVP are saved exactly as they are found in the original format.
3.1.4 Database (JDBC)
The Database Connector does the following:
Connects to the major database platforms through a JDBC connection.
Runs an SQL query directly on the source databases or executes a stored procedure.
Returns the query results to the Collector in either NVP (name value pair) or data map format.
Supports an offset to specify the starting point for data collection in the database.
Verifies if a valid JDBC driver is available to connect to the database.
Supports uploading JDBC driver file.
Supports testing the connection with the database to validate the configuration settings and availability of the network connection.
Starts and stops the connection with the databases.
Automatically reconnects to database server if the Connector loses its connection to the database server for any reason (such as database server shutdown).
Supports the Secure Socket Layer (SSL) protocol to retrieve data from the database.
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
11 | P a g e SecurView Confidential Private Use Only
Ensures reliability: o Uses JDBC protocol with TCP, which is a connection oriented protocol. This
ensures guaranteed reliability on the data transferred over the network. o Maintains an offset containing the last record processed successfully. If there
is a system crash, or a server restart, the data collection is resumed from where it was left off without any duplicates.
o Automatically reconnects to the event sources if the connection is lost
3.1.5 File The File Connector does the following:
Reads local or remote files accessible to the user running the Sentinel service from the Collector Manager.
Reads records from any file-type Event Source and passes each record to a Collector script for processing.
3.1.6 IBM Mainframe The Mainframe Connector intercepts write-to-operator (WTO) console messages from the mainframe, translates them into standard syslog format and sends them to Novell Sentinel
3.1.7 NetIQ Audit
The Audit Connector does the following:
Server Component: o Listens on a configurable TCP port for connections from Platform Agents o Receives and processes messages (events) from the Platform Agents o Filters messages based on application o Buffers messages to increase the reliability of message delivery. For more
information. o Communicates with the Platform Agents using SSL
Client Component: o Forwards the event message from the Audit Connector to the appropriate
Collector. o Automatically creates Event Sources based on a user-configured auto
configuration policy.
3.1.8 Process Process Connector supports the following functionality:
Starts and stops processes that connect to devices, for example, a custom-coded executable to pull event data from a proprietary event source.
Captures Standard Output and Standard Error from processes.
Restart the process if the process exits unexpectedly.
Supports filtering feature to fetch specific events from the Standard Output and Standard Error of the process.
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
12 | P a g e SecurView Confidential Private Use Only
Accept Collector TX message and feeds it to the Standard Input of the process.
Raw Data: The complete "line" of text ready from stdout/err. The raw data is not manipulated.
3.1.9 SAP XAL
This Connector is designed to provide data collection services using standard SAP protocols.
Makes connections to SAP CCMS services through SAP BAPI protocols, using the sapjco3 libraries.
Polls for alert data from a configured SAP CCMS Monitoring Tree node.
Formats alerts as JSON records, and forwards them to the SAP CCMS Collector.
Acknowledges received alerts.
3.1.10 SNMP This SNMP Connector does the following:
Starts and stops connector that subscribes to an SNMP server listening on a UDP port.
Supports filtering to fetch specific events from the SNMP traps by applying the regex patterns on the input data at the Connector level.
Can spawn multiple Trap receiver servers and multiplex the trap data into one collector.
Supports multiple subscriptions from a single collector to one SNMP server.
Supports SNMP v1, SNMP v2, and SNMP v3 trap messages.
Supports SNMP traps other than public community.
Supports character encoding. This is needed for receiving SNMP trap messages containing double-byte characters in languages such as Chinese, Japanese, and so forth.
Raw Data Format: The values in the SNMP trap are in a Name Value Pair format. The format of the data in the SNMP trap is in a binary format. The raw data is manipulated so that it is human readable, but the individual values in the NVP are saved exactly as they are found in the original format.
3.1.11 Sentinel Link
The Sentinel Link Connector does the following:
Sentinel Link Server Component: o Listens on HTTP or HTTPS ports for JSON messages (using an embedded
Tomcat server).Content type for messages must be application/json or application/json-compressed. The application/json-compressed content type indicates that the message is compressed by using ZLIB compression. Compressed data must be in the ZLIB format. In addition, there must be an Uncompressed-Length header that contains the uncompressed length of the original data. The uncompressed JSON string must be a UTF-8 string.
o Auto-instantiates event sources, event source groups (Connectors), and Collectors if required.
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
13 | P a g e SecurView Confidential Private Use Only
o No parsing of the JSON is done. Un-tweaked messages are forwarded to event sources and event source groups.
Sentinel Link Event Source Component: Forwards the event message (including both structure and content) from the Sentinel Link server to the Collector without modifications
3.1.12 Syslog
The Syslog Connector does the following:
Syslog Server Component: o Listens on TCP, UDP, or SSL (over TCP) ports for Syslog messages. o Parses incoming message looking for Syslog standard message components
(Priority, Date, host name, and Message). o Inserts supplementary data using the RFC 3164 "BSD Syslog Protocol", if the
message is missing Priority, Date, or host name. o Determines Facility and Severity from the Priority. o Filters messages sent to Syslog clients based on Facility and Severity. o Buffers Syslog messages in the memory and the file system to increase the
reliability of message delivery. o Provides a secure channel with end devices (SSL over TCP) to collect data.
Supports certificate based mutual authentication. o Supports TCP to reliably collect data from end devices. o Stores messages in a file base d persistent store. This helps Syslog Connector
in handling high incoming event spikes, preventing event drop, reducing memory usage by off-loading events to File System, and retaining data in the event of a system crash.
Syslog Client Component: o Forwards the event message (including both structure and content) from the
Syslog server to the Collector without modifications. o Filters messages submitted to the Collector for parsing based on Syslog
Severity, Facility, or message content. o Automatically creates Event Sources based on a user-configured auto-
configuration policy.
3.1.13 Test Data Generator The Data Generator Connector does the following:
Generates random test data at a specified rate per second that can be parsed by the Generic Event Collector.
Raw Data Format: The generated message
3.1.14 Windows Event (WMI) This Sentinel plug-in supports the following functionalities:
Supports remote (agent-less) collection of Windows Event Logs.
Supports collecting historical and real-time events from Windows Event Logs.
-
EXT_SOC_DOC_Supported devices and connection methods
Version 1.2
14 | P a g e SecurView Confidential Private Use Only
Supports collecting events from domain and non-domain environments.
Supports fetching specific events (filtering) from the event logs.
Collects data from different types of event logs such as Application, Security, and System.
Supports event source synchronization with the Active Directory.
Provides a secure channel (WMI) from WECS to event sources to collect data.
Provides a secure channel (SSL over TCP) from WECS to Connector.
Compresses (gZip) events sent from WECS to Connector.
Ensures reliable event collection by using WMI.
WECS reconnects to the event sources and Connectors in case the connection is lost.
4. Document Change Control
Issue Number Issue Date Changed By Details
1.0 January 23, 2013 Mahesh Patharkar Version 1.0
1.1 May 03, 2013 Mahesh Patharkar Version 1.1
1.2 September 16, 2013 Mahesh Patharkar Version 1.2
-End of Document-