Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
yuvalmamka
Employee
Employee

How to integrated CloudGuard AppSec logs into various SIEM services

How to Integrate CloudGuard AppSec logs into Sumo Logi?

Prerequisites

Read the steps below before running them. Specifically, look at Step 6. In this step, you will be required to install a collector and there are several questions in this step regarding the collector’s location.

Step 1: Run the collection setup wizard

When browsing to Manage Data->Collection, it is possible to run the “Setup Wizard”

yuvalmamka_0-1664365876866.png

 

Step 2: Select “Integrate with Sumo Logic”

yuvalmamka_1-1664365876880.png

 

Step 3: Select “Your Custom App”

yuvalmamka_2-1664365876649.png

 

Step 4: Select “Syslog”

yuvalmamka_3-1664365876643.png

 

Step 5: Select a new collector and the operating system

In my example I used Linux:

yuvalmamka_4-1664365876858.png

 

Step 6: Set up the collector

This step is the only complex step as there are many possible architectures you can use.

  • You might have your Syslog server from which you want to collect, or you might want to use the collector to be the “server” for the AppSec logs.
  • If you do not have a Syslog server already and just want to use the collector, then the location of the collector’s deployment is entirely up to you. But you will need to design the network connection to it so all relevant CloudGuard Appsec Gateways/Agents will have connectivity to it, in the relevant IP protocol and port which will soon be configured.

Step 7: Configure protocol/port and additional settings

For protocol select UDP. For all other settings use the settings according to your needs:

yuvalmamka_5-1664365876885.png

 

Step 8: Configure the Log Trigger to send Syslog traffic to the collector’s location and port

As explained in the CloudGuard AppSec documentation for Log Trigger setup, edit your log trigger object or create a new one.
Then make sure to configure, in the “Log To” section, Syslog service settings, on top of or instead of the default “Cloud” option.

yuvalmamka_6-1664365876787.png

 

yuvalmamka_7-1664365876654.png

 

yuvalmamka_8-1664365876944.png

 

How to Integrate CloudGuard AppSec logs into Splunk?

Prerequisites

Read the steps below before running them. As with Sumo Logic, in this example, I opted to simply install a “universal forwarder” as they are called in Splunk, on the same machine as the agent itself, but you can opt for a different architecture.
A Splunk server or an account in the Splunk cloud is also needed.

Step 1: Install a universal downloader

Follow the instructions for downloading a universal forwarder in your Splunk server. The images below are from a Splunk cloud trial license.

yuvalmamka_9-1664365876706.png

 

yuvalmamka_10-1664365876882.png

 

Step 2: According to documentation download and install the account credentials

This involves downloading a file using the “Download Universal Forwarder Credentials” button seen above, moving the file to a local /tmp folder, running an installation command according to the documentation, and restarting the forwarder.

Step 3: Configure inputs

This step can be performed in several ways, from UI to the command line.
I simply configured a local $SPLUNK_HOME/etc/system/local/inputs.conf file with the following section (I chose a random UDP listening port, but you may use a different one):
[udp://5140]
disabled = false
connection_host=ip
sourcetype = syslog
index = appsec

Step 4: Configure the Log Trigger to send Syslog traffic to the collector’s location and port

Just like the Sumo Logic example, and as explained in the CloudGuard AppSec documentation for Log Trigger setup, edit your log trigger object or create a new one.
Then make sure to configure, in the “Log To” section, Syslog service settings, on top of or instead of the default “Cloud” option.

yuvalmamka_11-1664365876791.png

 

yuvalmamka_12-1664365876657.png

 

yuvalmamka_13-1664365876636.png

 

yuvalmamka_14-1664365876940.png

 

How to Integrate CloudGuard AppSec logs into Microsoft Sentinel?

Prerequisites

Read the steps below before running them.
You also need a Microsoft Sentinel workspace in your Azure account.

Step 1: In your Microsoft Sentinel Workspace, locate the CEF connector under Configuration->Data connectors

yuvalmamka_15-1664365876904.png

 

Step 2: Select “CEF” and open the connector’s page

yuvalmamka_16-1664365876883.png

 

Step 3: Follow instructions and select a location for the collector’s agent

Similarly to step 6 in the “Sumo Logic” guide, this step is the only complex step as there are many possible architectures you can use.

  • You might have your own CEF server from which you want to collect, or you might want to use the collector to be the “server” for the AppSec logs.
  • If you do not have a CEF server already and just want to use the collector, then the location of the collector’s deployment is entirely up to you. But you will need to design the network connection to it so all relevant CloudGuard Appsec Gateways/Agents will have connectivity to it, in the relevant IP protocol and port which will soon be configured.
yuvalmamka_17-1664365876906.png

 

yuvalmamka_18-1664365876920.png

 

  • When running the connectivity validation command, it also sends a test log.
  • This is the last step on Microsoft Sentinel’s side, after which the actual setup takes ~20 minutes, only after which, the status will be changed to “Connected” and you will see logs.

Step 4: Configure the Log Trigger to send CEF traffic to the collector’s location and port

As explained in the CloudGuard AppSec documentation for Log Trigger setup, edit your log trigger object or create a new one.
Then make sure to configure, in the “Log To” section, CEF service settings, on top of or instead of the default “Cloud” option.

yuvalmamka_19-1664365876659.png

 

yuvalmamka_20-1664365876862.png

 

yuvalmamka_21-1664365876900.png

 

yuvalmamka_22-1664365876930.png

 

Summary

CloudGuard AppSec allows forwarding logs to both CEF and Syslog Servers. SIEM services accept Syslog/CEF traffic as inputs, therefore allowing rather easy integration of CloudGuard AppSec to any existing SIEM services you might have.

0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.