An example of enterprise anti-virus integration with a SIEM platform. Part 2

We continue to consider examples of corporate anti-virus integration with SIEM systems. This time we will talk about the possibilities of exporting information from the antivirus to any third-party SIEM system.

In the first part of this article, we already talked about what SIEM is , what it is for, and what benefits it provides for expert analysis of information security events. In short, the SIEM system allows you to collect a huge amount of primary information from other applications and security systems (for example, firewall, antivirus, IDS / IPS, etc.), identification and access control systems, operating systems, databases, etc. for processing This data is about the relationship between each other (correlation) and providing them in a convenient form for viewing and analysis.
')
Recently, it has become increasingly common to talk about SIEM systems, especially since for certain companies and organizations, having their own SIEM system becomes not only relevant, but also a prerequisite.

In order for the SIEM-system to provide the most extensive and complete information, it is necessary that as many devices, objects and applications as possible “deliver” the primary information to it. It is clear that corporate antivirus is one of the main data providers here. But how to integrate it with the SIEM system?

Consider this question on the example of the cloud-based corporate antivirus Panda Adaptive Defense 360. In the first part of the article, we considered the option of integrating the antivirus with its own simplified SIEM-system Advanced Reporting Tool. In the second part of the article we will consider the situation when it is necessary to integrate an antivirus with a third-party SIEM system (the user already has his own SIEM system or plans to purchase a particular system).

SIEMFeeder

What is SIEMFeeder

SIEMFeeder is a special service developed by Panda Security for transferring information and knowledge from the Adaptive Defense 360 ​​corporate antivirus to a third-party SIEM platform.

The main goal of this service is to enrich the corporate SIEM platform with detailed information on the activity of each process running on corporate computers. As a result, the system administrator can get unprecedented visibility of everything that happens in the corporate network. SIEMFeeder facilitates the detection of unknown threats, directed attacks to steal confidential corporate information, constant threats of increased complexity (APT).

SIEMFeeder architecture



SIEMFeeder collects information about the activity of each application and the process running on the corporate network, thanks to continuous monitoring of the entire network by the corporate antivirus Adaptive Defense 360. This information in the cloud Panda platform with Big Data is automatically analyzed using artificial intelligence technologies to generate specialized security knowledge. As a result, each process running on each computer in the enterprise’s network with an accuracy of about 99.999% and with almost zero false positives is classified. After that, SIEMFeeder transfers all this information flow to the corporate SIEM server.

Moreover, to get the most out of SIEMFeeder, there is no need to make any changes to the settings of the computers on the corporate network: the service runs inside the Panda Security infrastructure.

The information flow is as follows:

• Computers in the corporate network protected with Adaptive Defense 360 automatically send information about each running process to the Panda cloud
• Cloud Panda accepts information, processes it and complements specialized security knowledge
• The SIEMFeeder service receives information from the Panda cloud and encapsulates it in the form of logs, which are then transmitted to the user.
• sFTP server in the corporate network receives logs from the SIEMFeeder for temporary storage with subsequent transfer to the SIEM server

In addition, the architecture contains firewalls on the perimeter of the corporate network and locally on computers on the network to protect incoming and outgoing traffic.

Requirements for implementation and integration

In order to correctly implement the integration of a corporate antivirus with a SIEM-system within the framework of the considered example, it is necessary to consider the following requirements:

• implementation requirements
• requirements for the SIEM system

Implementation requirements

To implement and use SIEMFeeder you need:

• computers on which Adaptive Defense 360 ​​corporate security solution is installed
• active license for SIEMFeeder
• sFTP server
• correctly configured firewall (built-in Adaptive Defense 360 ​​or third-party)
• sufficient bandwidth to receive data

sFTP server

An sFTP server with the following characteristics must be installed on the corporate network:

• it must have enough storage space for information that comes from a SIEMFeeder. Estimated volume: 2 MB from each computer per day
• sFTP server must support up to 10 simultaneous connections with the same account
• connect accounts with password-based authentication
• the time after which the data connection is disconnected in the event that there is no data traffic: 20 minutes

Firewall setup

To establish a connection between the SIEMFeeder and the sFTP server, all intermediate firewalls must allow network traffic with the following characteristics:

• access via port 22 to sFTP server
• access from the IP address 91.216.218.191
• transport protocol: TCP
• application level protocol: SSH
• Connection type: incoming traffic to the corporate network

Requirements for the SIEM system

Supported SIEM systems

To be compatible with a SIEMFeeder, a SIEM system requires that it supports the following log formats: ArcSight Common Event Format (CEF) and QRadar Log Event Extended Format (LEEF).

SIEMFeeder can send data in either of these two formats (CEF or LEEF). Below is a limited list of SIEM servers that are compatible with the above formats (for example):

• AlienVault Unified Security Management (USM)
• Fortinet (AccelOps) FortiSIEM
• Hewlett Packard Enterprise (HPE) ArcSight
• QRadar Security Intelligence Platform (IBM)
• McAfee Enterprise Security Manager (ESM) (Intel Security)
• LogRhythm
• SolarWinds Log & Event Manager (LEM)
• Splunk Security Intelligence Platform

SIEM Server Configuration

In order to properly configure the SIEM server, you must import the sFTP server as a data source and correctly map the events and fields received from the SIEMFeeder (for more information about the data being transferred, see below).

SIEMFeeder availability

The SIEMFeeder service is available around the clock in 24/7 format. Any possible breaks in the operation of this service will be previously reported to the administrator.

In order to prevent data loss in the event of a failure, inaccessibility of the user's sFTP server or as a result of any other errors, Panda Security keeps logs generated by SIEMFeeder until they are transferred to the user (within a reasonable period of time).

Transmitted events and data

SIEMFeeder transforms information received from Adaptive Defense 360 ​​corporate antivirus into events. Thus, an event is the basic unit of information transmitted by the SIEMFeeder.

Event structure in SIEMFeeder

An event consists of a variable number of field-value pairs and one type / category of event. Field-value pairs depend on the type of event.
In addition, a preamble is added to the event with the information necessary to encapsulate the event into a CEF or LEEF compatible log file. This information allows SIEM to correctly identify events in the form of compatible logs and include them in its repository.

Event group

The log file is a group of events transmitted to the SIEM server. These log files generated by SIEMFeeder have different sizes and can contain one or more events belonging to different categories. In addition, events included in a single log file may contain information from one or more user computers.

Sequences and delays in receiving information

The maximum amount of time that can pass from the moment when an event occurs on the user's computer, until the information about it is delivered to the SIEM system, is 20 minutes. Adaptive Defense 360 ​​agents interact with the cloud every 10 minutes, after which the data is processed in the cloud and supplemented with specific security knowledge, transformed into a log file and sent using the SIEMFeeder to the user's SIEM system.

SIEMFeeder does not send log files in a predetermined sequence. However, all logs contain a time stamp, which allows the SIEM server to accurately "arrange" events on the timeline.

Format CEF-file SIEMFeeder

As we mentioned earlier, SIEMFeeder can send information in two formats: CEF or LEEF.

The CEF format contains two data sections: a prefix or a preamble, which identifies an event category, and an extension section with fields and values. At the same time, SIEMFeeder does not include the syslog header in the CEF logs. Example:

CEF: 1 | Panda Security | paps | 02.43.00.0000 | registryc | 1 |
ClientId = Date = 2016-11-04 23: 47: 49.000087 MachineName = WIN-JNTIXXX MachineIP = xxx.219.203.xx User = NT svchost.exe ValidSig = Company = Microsoft Corporation Broken = true ImageType = EXE 64 ExeType = Unknown Prevalence = High PrevLastDay = Low HeurFI = 67108872 Skeptic = AVDets = 0 JIDFI = 3431976 1NFI = 132943 JIDMW = 11197481 1NMW = 5131976 1NMW = 5131976 = Goodware MWName = TargetPath = 0 | pune.com RegKey = \ REGISTRY \ MACHINE \ SYSTEM \ ControlSet001 \ services \ Tcpip \ Parameters? DhcpDomain

Prefix

CEF: 1 | Panda Security | paps | 02.43.00.0000 | registryc | 1 |

• CEF version (CEF: 1) : Identifier of the format and version of the log
• Device vendor (Panda Security) : Service Provider Name
• Product (paps) : Internal name of the software or device
• Signature ID (2.43.00.0000) : The protection version that generates the event.
• Name (registryc) : Type of event sent.
• Severity (1) : Event severity. This value is always “1”, except for events with alert type (alertmalware, alertpup, exploits). In more detail about the types of events we will say below.

Extensions

The extensions section contains various fields with different information depending on the Name field (event type).

Encoding
All log files sent by SIEMFeeder use UTF-8 encoding.

Format of LEEF-file SIEMFeeder

The LEEF format contains two data sections: a LEEF header that identifies an event category, and an attribute section that contains event information in the form of fields and values. In this case, SIEMFeeder does not include the syslog header in the LEEF logs.

Example:

LEEF: 1.0 | Panda Security | paps | 02.43.00.0000 | registryc | sev = 1 devTime = 2016-09-22 15: 25: 11.000628 devTimeFormat = yyyy-MM-dd HH: mm: ss.SSS usrName = LOCAL SERVICE domain = NT AUTHORITY src = 10.219.202.149 identSrc = 10.219.202.149 identHostName = PXE68XXX HostName = PXE68XXX MUID = 1F109BA4E0XXXX37F9995D31FXXXX319 Op = CreateExeKey Hash = C78655BC80301D76ED4FEF1C1EA40A7D DriveType = Fixed Path = SYSTEM | \ svchost.exe ValidSig = Company = Microsoft Corporation Broken = true ImageType = EXE 64 ExeType = Unknown Prevalence = High PrevLastDay = Low HeurFI = 67108872 Skeptic = AVDets = 0 JIDFI = 3431993 1NFI = 116241 JIDMW = 11195630 1NMW = 4308325 Class = 100 Cat = Goodware MWName = TargetPath = 4.5, you need to have to set up to get to at a level, you have to set up to get a price, you can get MACHINE \ SYSTEM \ ControlSet001 \ services \ Tcpip \ Parameters? DhcpDomain

Headline
LEEF: 1.0 | Panda Security | paps | 02.43.00.0000 | registryc |

• LEEF version (LEEF: 1) : Log format and version identifier
• Vendor (Panda Security) : The name of the service provider
• Product (paps) : Internal name of the software or device
• Version ID (2.43.00.0000) : The protection version that generates the event.
• Event Description ID (registryc) : Type of event sent

In LEEF log files, the Severity event parameter is not passed in the header, but it is indicated in the section with attributes (the “Sev = number” field)

Attributes section

The attributes section contains various fields with different information depending on the type of event.

Event categories

The type of event received is displayed in the Name field in the prefix section (CEF format), or in the Event Description ID field in the header (LEEF format).

Below is a list of all possible events with explanations of their values, grouped by type:

Adaptive Defense 360 ​​agent deployment

• install : install agent
• upgrade : agent upgrade
• uninstalll : uninstall agent

Create alert

• alertpup : Alert created after detecting a potentially unwanted program (PNP)
• alertmalware : Alert created after detecting a malware sample.
• exploits : Alert created after an exploit is detected.

Changes in the user's operating system

• hostfiles : The hosts file has been changed.
• monitoredregistry : read access to the computer registry
• registrym : Modifying a branch in the registry to point to an executable file.
• registryc : Creating a branch in the registry pointing to the executable file.

Processing process

• createremotethread : Created remote launch thread
• createprocess : process created
• exec : The process is complete.
• createpe : Created executable program
• modifype : Modified executable file
• renamepe : Renamed executable file
• deletepe : removed executable program
• loadlib : Library loaded

File download

• urldownload : file downloaded

Data access

• createcmp : Archive file created
• opencmp : Archive file opened
• monitoredopen : Access monitored data files
• createdir : Created a folder in the file system
• socket : A network connection is established.

Blocking information

• toast : Adaptive Defense showed a pop-up message.
• notBlocked : The corresponding file was not scanned during the download.
• toastBlocked : Active Defense showed a pop-up message after blocking an unknown file

Event structure and field syntax

SIEMFeeder describes each event dispatched using a field-value pair. Events in SIEMFeeder are divided into two types: active events and passive events.

Internal structure of active events

Most events that are received describe the situations in which the parent process performs an action on a child process. The type of item that receives the action varies depending on the category of the event. Thus, as a child element can be:

• Another process : In events where a process is downloaded / loaded, a library is loaded, etc.
• Executable file : In events where a program is created, modified, deleted
• System file : In events where manipulations are performed with the hosts file, the registry
• Data file : In events where you can access Office files, databases, etc.
• Download file : In events where the process downloads data
• Archived file : In events where an archived file is created, modified, deleted
• Folder : In events where a folder is created, modified, deleted

Depending on its type, the event will or will not contain certain fields describing the characteristics of the parent and child elements. For example, if the event type is associated with the creation of a folder, the fields associated with the event will describe the characteristics of the parent process (malware or not, the process path, the process meta-data, etc.), as well as the characteristics of the child process. However, in this case, since we are dealing with a folder, some event fields will be empty.

Internal structure of passive events

We are talking about events that in most cases do not have a clearly defined parent or child process. Passive events, for example, include generating alerts when a malicious program is detected, or installing / modifying / removing the Adaptive Defense 360 ​​agent.

Parent and child prefixes

Active processes, including two files or processes, show the prefixes Parent and Child to show which information belongs to which process:

• Parent : Fields starting with the Parent tag describe the attribute of the parent process.
• Child : Fields starting with the Child tag describe an attribute of the child process

Other prefixes and affixes

Many fields and values ​​use abbreviations. Knowing their meaning, it is much easier to interpret the field in question:

• Sig : Digital Signature
• Exe and pe : Executable file
• Mw : Malware
• Sec : Seconds
• Op : Operation
• Cat : Category
• PUP : Potentially unwanted program
• Ver : Version
• SP : Service Pack
• Cfg : Configuration
• Cmp and comp : Archived file
• Dst : Destination

Field description

Below is information about the available fields with the data they contain.
action (number): The action taken by the Adaptive Defense agent

• Allow
• Block
• Waiting for blocking

alertType (number): Category of the threat that caused the alert
• Malware
• PNP
• Ekployt

broken (Boolean) : File is damaged or defective.

cat (number): The category of the file that performed the described operation.
• Non-malicious program
• Malware
• PNP
• Unknown
• Monitoring

childBroken (Boolean): Child process is corrupted or faulty

childCat (number): The category of the child file that performed the described operation.
• Non-malicious program
• Malware
• PNP
• Unknown
• Monitoring

childCompany (string): Content of the Company attribute in the metadata of the child process
childDriveType (number): The type of disk on which the child process / file is located, which performed the described operation

• Fixed
• Removed
• Removable

childExeType (number): Internal structure / type of executable file

• Delphi
• DOTNET
• VisualC
• VB
• CBuilder
• Mingw
• Mssetup
• Setupfactory
• Lcc32
• Vc7setupproject
• Unknown

childHash (MD5): Child Process Hash
childImageType (number): The internal architecture of the child process

• EXEx32
• EXEx64
• DLLx32
• DLLx64

childMwname (string): the name of the malware if the child process is classified as a threat
• Null: the object is not malware

childPath (path string): Path to the child file that performed the described operation
childPrevalence (number): The frequency of the occurrence of a child process in Panda Security systems during their lifetime

• High
• average
• Low

childPrevLastDay (number): The frequency of the occurrence of a child process in Panda Security systems for the previous day
childValidSig (Boolean): The child process is digitally signed
clientCat (number): Object category stored in the Adaptive Defense agent cache

• Goodware
• Malware
• PUP
• Unknown
• Monitoring

clientId (number): user ID
company (string): Company attribute content in process metadata
companyName (string): The contents of the Company attribute in the vulnerable file's metadata
date (date): The date from the user's computer when the event was generated.
direction (number): the direction of the network connection

• outgoing
• Incoming
• Bidirectional
• Unknown

driveType (number): The type of disk on which the process / file is located that performed the described operation

• Fixed
• Removed
• Removable

dstIp (IP address): IP address of the connection receiver
dstIp6 (IPv6 address): IPv6 destination address of the connection
dstPort (range 0-65535): Connection Destination Port
dwellTimeSecs (seconds): Time in seconds since the first observation of the threat on the user's network
executionStatus (number): Indicates whether the detected threat was launched.

• Launched
• Not running

exeType (number): Internal structure / type of executable file
• Delphi
• DOTNET
• VisualC
• VB
• CBuilder
• Mingw
• Mssetup
• Setupfactory
• Lcc32
• Vc7setupproject
• Unknown

fileName (string): Name of the vulnerable file
filePath (string): Full path to vulnerable file
fileVersion (string): Content of the Version attribute in the vulnerable file's metadata
hash (MD5) : File Hash
imageType (number): Internal Process Architecture

• EXEx32
• EXEx64
• DLLx32
• DLLx64

internalName (string): Name attribute content in vulnerable file metadata
itemHash (MD5 string) : Hash of the detected threat or vulnerable program
itemName (string) : name of detected threat
itemPath (path string) : The full path to the file that contains the threat
key (string) : branch or key of the affected registry
localCat (number) : Object category calculated by Adaptive Defense agent

• Goodware
• Malware
• PUP
• Unknown
• Monitoring

loggedUser (string) : User authorized in the system during event generation
machine : The name of the computer of the user who performed the described operation.
machineIP (IP address) : The IP address of the user's computer that performed the described operation.
machineIP1 (IP address) : IP alias of the user's computer that performed the described operation
machineIP2 (IP address) : IP alias of the user's computer that performed the described operation
machineIP3 (IP address) : IP alias of the user's computer that performed the described operation
machineIP4 (IP address) : IP alias of the user's computer that performed the described operation
machineIP5 (IP address) : IP alias of the user's computer that performed the described operation
machineName (string) : The name of the computer of the user who performed the described operation
muid (String, format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) : Internal client computer ID
numCacheClassifiedElements (number) : Number of objects classified in the Adaptive Defense cache
mwName (string) : Name of the malicious sample if the object is cataloged as a threat.

• Null : The item is not malware
op (number): the operation performed by the process
• Install
• Uninstall
• Upgrade
• CreateDir
• Exec
• CreatePE
• DeletePE
• LoadLib
• OpenCmp
• RenamePE
• CreateCmp

osPlatform (number): Platform of the operating system installed on the user's computer

• WIN32
• WIN64

osSP (string) : Service pack of the operating system installed on the user's computer
osVer (string) : Version of the operating system installed on the user's computer
path (path string) : Path to the object that performed the described operation
params (string) : Process Execution Parameters
parentBroken (Boolean) : Parent process is damaged or faulty
parentCat (number) : The category of the parent file that performed the described operation.

• Non-malicious program
• Malware
• PNP
• Unknown
• Monitoring

parentCompany (string) : Content of the Company attribute in the meta data of the parent process

parentDriveType (number): The type of disk on which the parent process / file is located that performed the described operation

• Fixed
• Removed
• Removable

parentExeType (number): Internal structure / type of parent process

• Delphi
• DOTNET
• VisualC
• VB
• CBuilder
• Mingw
• Mssetup
• Setupfactory
• Lcc32
• Vc7setupproject
• Unknown

parentHash (MD5) : parent process hash
parentImageType (number): The internal architecture of the parent process

• EXEx32
• EXEx64
• DLLx32
• DLLx64

parentMwname (string): the name of the malicious program if the parent process is classified as a threat

• Null: The object is not malware.
parentPath (path string): Path to the parent file that performed the described operation

parentPrevalence (number): The frequency of the appearance of the parent process in Panda Security systems during their lifetime

• High
• average
• Low

parentPrevLastDay (number): The frequency of occurrence of the parent process in the Panda Security systems for the previous day

parentValidSig (Boolean): Parent process is digitally signed

Port (0-65535) : Communication port used by the process
Prevalence (number): The frequency of the process occurrence in Panda Security systems during their lifetime

• High
• average
• Low

prevLastDay (number): The frequency with which the process appeared in Panda Security systems on the previous day

• High
• average
• Low

productVersion (string): The contents of the ProductVersion attribute in the metadata of the vulnerable file
protocol (number): The communication protocol used by the process

• TCP
• UDP
• ICMP
• ICMPv6
• IGMP
• RF

regAction (number): Type of operation performed in the computer's registry
• CreateKey
• CreateValue
• ModifyValue

regKey (string): Registry Key
responseCat (number): File category returned by the cloud

• Unknown = 0
• Non-malicious program = 1
• Malware = 2
• Suspicious file = 3
• Compromised file = 4
• Unconfirmed non-malicious program = 5
• PNP = 6
• Unwanted non-malicious program = 7

serverdate : Date from the user's computer when the event was generated
serviceDriveType (number): The type of disk on which the driver that received the action is located
sonFirstSeen (date): The time of the first detection of the object that caused the pop-up message
sonLastQuery (date): The time when the process that caused the pop-up message to appear on the user's computer sent the request to the cloud for the last time.
targetPath (path string): Path to the executable file referenced by the registry branch
toastResult (number): User response to the pop-up message shown by Adaptive Defense

• OK: The user has accepted the message.
• Timeout: The pop-up message stopped showing due to the lack of user action during a set period of time.
• User rejected blocking action
• Block
• Allow

user (string): The user account used by the process that performed the described operation
url (URL string): URL to download caused by the process that generated the event being described.
validSig (Boolean): Digitally Signed Process
value (string): The name of the changed value in the registry key
valueData (string): The contents of the registry key value
ver (string): Adaptive Defense Agent Version
version (string): Adaptive Defense agent version
winningTech (number): The technology that generated the event

• Unknown
• Cache
• Cloud
• Context
• Serializer
• User
• Legacyuser
• Netnative
• certifUA

Conclusion

Adaptive Defense 360 ​​is able to automatically and almost in real time to transfer to a third-party SIEM system a huge amount of information about all the processes monitored on computers in the corporate network. In turn, the SIEM-system allows you to instantly provide the processed expert information in a digestible form, so that the user can make effective decisions to counter malicious and unauthorized actions, minimize security risks and prevent leakage of corporate data. In addition, SIEM systems can be used to thoroughly investigate information security incidents to determine what, where, when, how and with whom it happened.

However, even if the enterprise already has a corporate antivirus, then a separate Adaptive Defense product can be used as a “collector” of a huge amount of primary information with its subsequent automatic upload to SIEM without affecting the performance of computers. Given that Adaptive Defense will be extremely useful as a “defender” against unknown threats, targeted attacks and cryptographers, working in parallel with the existing corporate antivirus.

In the huge flow of information it is difficult to quickly record and track everything that is needed. And in this regard, the integration of corporate antivirus with a SIEM system can be a great help.

We offer to evaluate the capabilities of Adaptive Defense 360 using a demo console (without the need to install the product).

The demo console is designed to demonstrate Panda Adaptive Defense 360, which already has certain information on user settings, profiles, etc., which allows you to evaluate the console in a mode as close as possible to real work.

Access to the demo console: demologin.pandasecurity.com
Login: DRUSSIAN_FEDERATION_C13@panda.com
Password: DRUSSIAN # 123

Note: Reset changes in the settings of products that are made when viewing the demo console, occurs daily.