Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Fidelis Endpoint® SIEM Integrations Guide Version 9.3.1 www.fidelissecurity.com

Fidelis Endpoint® SIEM Integrations Guide Version 9.3.1 www.fidelissecurity.com V i 6 1 1 Fidelis Endpoint® 9.3.1 SIEM Integrations Guide ii www.fidelissecurity.com Copyright © 2002–2020 Fidelis Cybersecurity®. All rights reserved worldwide. Fidelis Cybersecurity 4500 East West Highway, Suite 400 Bethesda, MD 20814 Fidelis Endpoint® 9.3.1 SIEM Integrations Guide Revised February 2020 Users are granted permission to copy and/or distribute this document in its original electronic form and print copies for personal use. This document cannot be modified or converted to any other electronic or machine-readable form in whole or in part without prior written approval of Fidelis Cybersecurity. While we have done our best to ensure that the material found in this document is accurate, Fidelis Cybersecurity makes no guarantee that the information contained herein is error free. All third-party brand names and product names referenced in this documentation are trade names, service marks, trademarks, or registered trademarks of their respective owners. Fidelis Endpoint® 9.3.1 SIEM Integrations Guide iii www.fidelissecurity.com Table of Contents Integrating with SIEM Applications ................................................................................................ 1 Exporting Log and Result Information to SIEM Applications ......................................................... 1 About Creating a Custom Export Configuration ................................................................... 12 Integrating Fidelis Endpoint and ArcSight .................................................................................. 13 Installing the ArcSight Connector ........................................................................................ 14 Configuring Fidelis Endpoint to Export Information to ArcSight ............................................ 19 Configuring ArcSight Console ............................................................................................. 20 Testing the ArcSight Integration .......................................................................................... 23 Integrating Fidelis Endpoint and QRadar ................................................................................... 27 Configuring Fidelis Endpoint to Export Information to QRadar ............................................. 27 Configuring the Fidelis Endpoint DSM in QRadar ................................................................ 28 Configuring Actions to Launch Script Tasks ........................................................................ 29 Configuring the Log Source in QRadar ................................................................................ 30 Testing the QRadar Integration ........................................................................................... 32 Integrating Fidelis Endpoint and McAfee Enterprise Security Manager ...................................... 35 Preparing for Remote Command Integration ....................................................................... 36 Setting up the Fidelis Endpoint Data Source ....................................................................... 38 Setting up Device URL Integration ...................................................................................... 43 Configuring a Remote Command (URL Integration) ............................................................ 45 Configuring a Remote Command (SSH/API Integration) ...................................................... 46 Configuring Alarms to Execute a Command ........................................................................ 48 Manually Executing a Remote Command ............................................................................ 49 Technical Support ......................................................................................................................... 50 Getting Help .............................................................................................................................. 50 Other Documentation ................................................................................................................ 50 Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 1 www.fidelissecurity.com Integrating with SIEM Applications You can use the information in this section to integrate Fidelis Endpoint with SIEM (Security Information and Event Management) applications. Note: For information about configuring a third-party SIEM application to integrate with Fidelis Endpoint, refer to integrations in this guide and contact support for Fidelis Endpoint. Exporting Log and Result Information to SIEM Applications Using syslog, you can export log and activity data from Fidelis Endpoint to SIEM applications (usually ArcSight or QRadar) in either of the following formats: • Common Event Format (CEF) • Log Event Extended Format (LEEF) You can export log and activity data from Fidelis Endpoint as a file on disk or using a hostname/port via User Datagram Protocol (UDP) by configuring the SyslogConfiguration.json file to export: • Alerts • Task Results (aka Job Results) from running a script package • System Logs • Server Health Logs • Activity Logs (aka Audit Logs) To configure exporting log and result information: On the Windows Server, navigate to ProgramData\Fidelis\Endpoint\Shared\ and open the SyslogConfiguration.json file in a text editor. IMPORTANT: There is also a SyslogConfigurationDefault.json file in the folder that contains the set of the default values. You should make any desired changes to SyslogConfiguration.json only, since the Fidelis Endpoint upgrade process overwrites SyslogConfigurationDefault.json file. Locate the export type you want. Specify the settings you want to use: Value Description Name Identifies the export type. You reference the export type by name in • Script Package REST API calls. For example: "integrationOutputs": ["CEFOutput", "LEEFOutput"] Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 2 www.fidelissecurity.com Value Description For more information, see “Script Packages API” in the API Guide. • Deep Links. For example: &exportType=CEFOutput For more information, see "Deep Linking to a Script Package" in the Fidelis Endpoint online Help. Enabled Enables (true) or disables (false) the export type. Format Specifies the format of the exported information. Use either CEF or LEEF. UseHostname Enables (true) or disables (false) the use of hostname instead of IP address when a hostname is known. Host and Port Specifies the export destination as hostname/port via UDP. • Set the hostname and port where you want to export information. For example: "Host": "10.10.0.0", "Port": 514, Note: Use either Host and Port, or use Folder. Folder Specifies the export destination as files in a folder. • Set the value to the path where you want to export information. Do not specify a file name, only the path. For example: "Folder": "C:\\Syslog\\CEF", The destination folder must already exist for information to be exported to files. • Files are written to the specified output path using this naming format: YYYY-MM-DD_HH-MM-SS_count#.extensiontype …where count# is the count of files written during the same second and where extensiontype is CEF or LEEF, depending on the format. For example: 2017-02-03_10-37-43_9.cef 2017-02-03_10-37-43_10.cef Note: Use either Folder or use Host and Port. Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 3 www.fidelissecurity.com Value Description Alerts Enables (true) or disables (false) exporting alerts. AlertsFieldMap Provides a list of the HeaderFields and Fields that enable you to map Fidelis Endpoint alerts to the CEF and LEEF formats. The HeaderFields are variables you can set to the string values you want. Fields are name value pairs that map CEF and LEEF fields to the standard Fidelis alerts. Each value is an array, though most alert fields only contain a single value. Be aware that some values are static strings, while others are string variables that enable you to pass in a string value for the alert you are mapping. Note: The “msg” string value pair also includes a delimiter for use between the values in the array. You can set the delimiter to whatever you want. X_Event – a special field that requires retrieving data from Elastic Search. There are two ways to use this field: • X_Event:* – dumps all alert fields and field values from Elastic Search into a single mapped field. • X_Event:PropertyNameHere – allows mapping of a specific event property field. Important: Whether you use a single field or all, using the X_Event field makes a call to Elastic Search that returns all fields. This has a large performance impact. Also, any field in Elastic Search with the same name as another mapped alert field overwrites that mapped field when the Elastic Search call returns. By default, due to its performance impact, the X_Event field is not mapped. The X_Event event property sub-fields are: EventTime, EndpointId, EndpointName, EventType, ParentTargetID, TargetID, PID, Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 4 www.fidelissecurity.com Value Description PPID, ParentName, ParentPath, ParentHash, Name, Path, CommandLine, HashMD5, User, LocalIP, LocalPort, RemoteIP, RemotePort, URL, Size, FileVersion, Signature, SignedTime, StrongName, CertificateSubjectName, CertificateIssuerName, CertificatePublisher, WinEventID, Source, WinSID, Category, Message, Usb, Hive, DNSQuestion, DNSAnswer, Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 5 www.fidelissecurity.com Value Description ProxyInfo, HashSHA1, HashSHA256, ProcessStartTime, ProcessEndTime, FirstEventTime, LastEventTime, Data, LogonUserName, LogonType, LogonID, Serial, Model, Media, ReportIndex, IndexingTime, Computer, DetectionId, ScanType, ThreatName, AMDefinitionVersion, Protocol, ReportId, EventIndex, ReportTime, Extension, FileCategory, FileType, ID, NetworkDirection, remotePID, Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 6 www.fidelissecurity.com Value Description remoteTID, parentSignature, parentCertificateSubjectName, parentCertificateIssuerName, parentCertificatePublisher, parentHashSHA1, parentHashSHA256, entropy, registryValue, JobResults Enables (true) or disables (false) exporting script task results. When (true) the export type appears as a menu item in the “Export Results to” option in the “Options” pane in the “Task Options” screen in the Task wizard. JobResultFieldMap Provides a list of the HeaderFields and Fields that enable you to map job (script package tasks) results to the CEF and LEEF formats. The HeaderFields are variables you can set to the string values you want. Fields are name value pairs that map CEF and LEEF fields to the standard Fidelis JobResults fields. Each value is an array, though by default, an array of a single value. Note: Some values are static strings, while others are string variables that enable you to pass in a string value for the content you are mapping. JobResults_Default When exporting script task results (JobResults), sets (true) or unsets (false) the export type as the default selected menu item in the “Export Results to” option in the “Options” pane in the “Task Options” screen in the Task wizard. If multiple export types are configured as the default selected menu item, the item that actually appears as the default selected item in the “Export Results to” option in the user interface is the first-listed, script- task-results-enabled export type in the configuration file. Tip: You can change the order of items in the “Export Results to” option by re-ordering the configurations sections in the configuration file. AuditLogs Enables (true) or disables (false) exporting activity logs. Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 7 www.fidelissecurity.com Value Description Contains logged user activity in the Fidelis Endpoint Web application: log in, log out, start task, change password, user management (create, edit, delete), endpoint management, group management, configuration management (create alert, delete alert, event configuration, etc.), script package management (create, import, delete), etc. AuditLogFieldMap" Provides a list of the HeaderFields uploads/s1/ integrations-guide.pdf