caspe

HIGHLY CONFIDENTIAL

EXT_SOC_DOC_Supported devices and connection methods

Version 1.2

9/16/2013 SecurView

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

Table of Contents
1. 1.1 1.2 1.3 2. 3. 3.1 4. Introduction ............................................................................................................................................... 3 Purpose ................................................................................................................................................... 3 Scope ....................................................................................................................................................... 3 Reference Document .............................................................................................................................. 3 Supported vendor devices in SIEM ............................................................................................................ 4 Connection methods in SIEM..................................................................................................................... 9 Overview of the connection methods .................................................................................................... 9 Document Change Control ...................................................................................................................... 14

2|Page
SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

1. Introduction 1.1 Purpose

The purpose of this document is to provide the list of supported vendor devices and connection methods by SIEM application.

1.2 Scope
The scope of the document is applicable to SIEM application.

1.3 Reference Document

3|Page
SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

2. Supported vendor devices in SIEM

SIEM application used Collectors and Connectors (scripts) to on-board the device. Following table enlist the vendor devices for which Collectors available from SIEM vendor. In short these are the devices supported in SIEM application. List also highlights the connection method (Connectors) used for these devices.

Table 1

Vendor
AirPatrol Apache Attachmate Barracuda Blue Coat CA Check Point Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco

Core Product
Wireless Locator System HTTP Server Luminet Web Application Firewall ProxySG Appliances SiteMinder Security Gateways Aironet Firewall Intrusion Prevention IronPort Network Admission Control Secure Access Control Server Security Agent Switch and Router VPN 3000

Build Date
Apr 2010 Sep 2011 Jun 2012 Apr 2010 Jul 2013 Jul 2011 May 2013 Jul 2011 Jan 2013 Jun 2012 Jul 2011 Jul 2011 Jul 2013 Jun 2010 Nov 2009 Sep 2009

Version
6.1r1 2011.1r1 2011.1r1 6.1r1 2011.1r1 6.1r1 2011.1r1 6.1r1 2011.1r1 6.1r4 6.1r1 6.1r1 2011.1r1 6.1r2 6.1r2 6.1r1 SYSLOG

Connectors

FILE,SYSLOG SYSLOG SYSLOG SYSLOG,FILE DATABASE LEA SYSLOG SYSLOG SDEE SYSLOG,FILE DATABASE,SYSLOG SYSLOG DATABASE SYSLOG SYSLOG

4|Page
SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

Vendor
Cisco Enterasys Extreme Networks F5 F5 Fortinet Generic

Core Product
Wireless LAN Controller Dragon Summit Series BIG-IP Firepass FortiGate Asset

Build Date
Jul 2011 Sep 2009 Jan 2010 Jul 2010 Jul 2010 Feb 2013 Sep 2009

Version
6.1r1 6.1r1 6.1r1 6.1r1 6.1r1 2011.1r1 6.1r2 SYSLOG SYSLOG SYSLOG SYSLOG SYSLOG SYSLOG FILE

Connectors

NetIQ

Universal Event

Feb 2013

2011.1r1

FILE,SYSLOG,SNMP, WMS,DATABASE, PROCESS,LEA,SDEE, AUDIT,TEST_DATA_GEN NA FILE FILE SYSLOG SYSLOG DATABASE,FILE SNMP,SYSLOG,WMS DATABASE

Generic Generic Generic HP IBM IBM IBM IBM

Hostname Resolution Service IP Geolocation Service Identity HP-UX AIX DB2 Lotus Domino Proventia Scanner Network Enterprise

May 2011 Mar 2011 Sep 2009 Jan 2013 Jul 2012 Jun 2011 Jun 2010 Jul 2009

6.1r2 6.1r1 6.1r1 2011.1r1 6.1r3 6.1r3 6.1r1 6.1r1

IBM IBM IBM IBM

Tivoli Access Manager Operating Systems WebSphere Application Server iSeries zOS

for

Apr 2010 Feb 2010 Feb 2013 Nov 2009

6.1r1 6.1r1 2011.1r3 6.1r1

FILE FILE SYSLOG,FILE SYSLOG

5|Page
SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

Vendor
Insecure.org Juniper Juniper Juniper Juniper McAfee McAfee McAfee McAfee McAfee McAfee Microsoft Microsoft Microsoft Microsoft Microsoft Nmap

Core Product

Build Date
Apr 2010 Feb 2010 Nov 2012 Dec 2010 Dec 2010 Jul 2013 Oct 2010 Oct 2010 Jul 2013 Dec 2009 Oct 2010 Sep 2011 Feb 2013 Sep 2011 Jul 2013

Version
6.1r1 6.1r1 2011.1r1 6.1r2 6.1r1 2011.1r1 6.1r2 6.1r2 2011.1r1 6.1r2 6.1r5 2011.1r1 2011.1r3 2011.1r1 2011.1r2 6.1r1 FILE SYSLOG SYSLOG SYSLOG SYSLOG SYSLOG

Connectors

IDP Series Netscreen Series Routers and Gateways SA Series Firewall Enterprise Host Intrusion Prevention Network Security Platform VirusScan Enterprise Vulnerability Manager ePolicy Orchestrator Active Directory Identities Active Directory and Windows DHCP Exchange Server

DATABASE DATABASE FILE,WMS DATABASE DATABASE FILE WMS,SYSLOG FILE WMS,FILE WMS

Forefront Protection 2010 for Jul 2011 Exchange Forefront Server Management Security Jul 2011

Microsoft

6.1r1

DATABASE

Microsoft Microsoft Microsoft Microsoft

Forefront Threat Management Jul 2011 Gateway IIS ISA Server SQL Server May 2013 Dec 2009 Dec 2009

6.1r1 2011.1r1 6.1r1 6.1r2

DATABASE,FILE SYSLOG,FILE FILE SYSLOG,DATABASE

6|Page
SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

Vendor
Microsoft NetIQ NetIQ NetIQ Nortel Novell Novell NetIQ NetIQ Novell Novell Novell Novell Novell Novell Novell Novell SUSE Novell Novell Novell Novell Novell System Manager

Core Product
Center Operations

Build Date
Jan 2010 Jun 2013 Sep 2011 Jul 2013 Sep 2009 Apr 2010 Mar 2010 Oct 2012 Jun 2012 May 2011 Apr 2011 Sep 2009 Nov 2009 Jan 2010 Mar 2011 Oct 2010 Sep 2009 Jul 2013 Jan 2010 Dec 2009 Sep 2011 Jan 2013 Apr 2011

Version
6.1r1 2011.1r3 2011.1r1 2011.1r3 6.1r1 6.1r1 6.1r1 2011.1r1 2011.1r1 6.1r1 6.1r7 6.1r2 6.1r3 6.1r4 6.1r6 6.1r1 6.1r1 2011.1r1 6.1r1 6.1r2 2011.1r1 2011.1r1 6.1r4

Connectors
DATABASE SYSLOG SYSLOG SYSLOG SYSLOG DATABASE AUDIT FILE,AUDIT FILE,SYSLOG SYSLOG AUDIT,SYSLOG Not Applicable AUDIT,FILE AUDIT,FILE SYSLOG SYSLOG SYSLOG SYSLOG AUDIT,FILE WMS,SYSLOG SENTINEL_LINK AUDIT,SYSLOG AUDIT

Agent Manager Change Guardian (Legacy) UNIX Agent VPN Access Governance Suite Access Manager SSL VPN Access Manager Cloud Manager Cloud Security Service Identity Manager Identity Vault Modular Authentication Services NetWare Open Enterprise Server PlateSpin Orchestrate Privileged User Manager Linux Enterprise Server SecretStore SecureLogin Sentinel Link eDirectory iManager

7|Page
SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

Vendor
OpenLDAP Oracle Oracle Oracle Qualys RSA Rapid7 Red Hat SAP SonicWALL Sourcefire Oracle Sun Symantec Symantec Tenable TippingPoint Trend Micro Websense eEye eEye nCircle slapd

Core Product

Build Date
Feb 2010 Nov 2009 Mar 2011 May 2013 Jul 2009 Jan 2010 Feb 2010 May 2013 Jun 2012 Jan 2013 Feb 2013

Version
6.1r1 6.1r1 6.1r2 2011.1r1 6.1r1 6.1r1 6.1r2 2011.1r1 6.1r3 2011.1r1 2011.1r1 2011.1r1 6.1r1 6.1r1 2011.1r2 6.1r2 6.1r3 2011.1r1 2011.1r1 6.1r3 6.1r1 6.1r1 SYSLOG FILE

Connectors

BEA WebLogic Server Database Solaris QualysGuard ACE Server NeXpose Enterprise Linux CCMS Firewall Snort Directory Edition MySQL Critical System Protection Endpoint Protection Nessus Security Management System OfficeScan Web Security REM Retina IP360 Server Enterprise

DATABASE SYSLOG FILE FILE DATABASE SYSLOG SAP SYSLOG FILE,SYSLOG,DATABASE FILE DATABASE DATABASE SYSLOG,FILE,DATABASE FILE SYSLOG FILE,WMS SNMP,DATABASE DATABASE DATABASE FILE

Nov 2012 Nov 2009 Apr 2010 Apr 2013 Nov 2009 Apr 2010 Aug 2013 Nov 2012 Oct 2011 Jul 2009 Jul 2009

8|Page
SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

3. Connection methods in SIEM

In SIEM application, supports different connection methods as mentioned in table (Table 1).
Table 2

Name
Agent Manager Check Point (LEA) Cisco SDEE Database (JDBC) File IBM Mainframe NetIQ Audit Process SAP XAL SNMP Sentinel Link Syslog Test Data Generator Windows Event (WMI)

Short Name
Agent_Manager LEA SDEE DATABASE FILE MAINFRAME AUDIT PROCESS SAP SNMP SENTINEL_LINK SYSLOG TEST_DATA_GEN WMS

Build Date
Jun 2013 Aug 2011 Sep 2009 Dec 2012 Oct 2011 Sep 2008 Sep 2013 Aug 2009 Sep 2009 Dec 2011 Feb 2013 Feb 2013 Aug 2009 Mar 2013

Version
2011.1r1 2011.1r1 6r3 2011.1r2 2011.1r1 6r1 2011.1r2 6r3 6r2 2011.1r1 2011.1r3 2011.1r2 6r1 2011.1r2

3.1 Overview of the connection methods

3.1.1 Agent Manager The Agent Manager Connector routes events sent by the Agent Manager Central Computer to the appropriate Collector for parsing and normalization. The Agent Manager Central Computer communicates directly with the Agent Manager Agents that collect data from monitored servers. The Agent Manager Connector does the following: Listens on the HTTP or HTTPS ports for JSON messages by using an embedded Jetty server. Auto-instantiates event sources, event source groups (Connectors), and Collectors, if required. Routes events from Agent Manager agents to the appropriate Event Sources and Collectors.

9|Page
SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

3.1.2

Check Point (LEA) The Check Point (LEA) Connector does the following: Connects to Check Point Firewall Server or Firewall Management Server to read from both Firewall logs and Audit logs. Supports the following communication protocols: o Cleartext (no encryption) o SSL with certificates (Check Point Firewall NG and above only) o SSL with keys (Check Point Firewall NG and above only) o SSL with no keys/certificates (firewall 4.1 only) Supports configurable data field resolution. Supports setting and maintaining an offset, or point at which to start reading data. Supports resolving hostname/IP, Service, Protocol, and other fields. The values in the LEA message are in a Name Value Pair format. The format of the data in the LEA message is in a binary format. The raw data is manipulated so that it is more easily human readable, but the individual values in the NVP are saved exactly as they are found in the original format. Cisco SDEE The SDEE Connector does the following: Makes connections to SDEE devices through HTTPS or HTTP connections. Filters to fetch specific events. Sets offset (a starting point for reading data) Raw Data Format: The values in the SDEE message in a Name Value Pair format. The format of the data in the SDEE message is in an xml format. The raw data is manipulated so that it is more easily human readable and can be stored in a single line in the raw data file, but the individual values in the NVP are saved exactly as they are found in the original format. Database (JDBC) The Database Connector does the following: Connects to the major database platforms through a JDBC connection. Runs an SQL query directly on the source databases or executes a stored procedure. Returns the query results to the Collector in either NVP (name value pair) or data map format. Supports an offset to specify the starting point for data collection in the database. Verifies if a valid JDBC driver is available to connect to the database. Supports uploading JDBC driver file. Supports testing the connection with the database to validate the configuration settings and availability of the network connection. Starts and stops the connection with the databases. Automatically reconnects to database server if the Connector loses its connection to the database server for any reason (such as database server shutdown). Supports the Secure Socket Layer (SSL) protocol to retrieve data from the database. 10 | P a g e

3.1.3

3.1.4

SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

Ensures reliability: o Uses JDBC protocol with TCP, which is a connection oriented protocol. This ensures guaranteed reliability on the data transferred over the network. o Maintains an offset containing the last record processed successfully. If there is a system crash, or a server restart, the data collection is resumed from where it was left off without any duplicates. o Automatically reconnects to the event sources if the connection is lost

3.1.5

File The File Connector does the following: Reads local or remote files accessible to the user running the Sentinel service from the Collector Manager. Reads records from any file-type Event Source and passes each record to a Collector script for processing.

3.1.6

IBM Mainframe The Mainframe Connector intercepts write-to-operator (WTO) console messages from the mainframe, translates them into standard syslog format and sends them to Novell Sentinel NetIQ Audit The Audit Connector does the following: Server Component: o Listens on a configurable TCP port for connections from Platform Agents o Receives and processes messages (events) from the Platform Agents o Filters messages based on application o Buffers messages to increase the reliability of message delivery. For more information. o Communicates with the Platform Agents using SSL Client Component: o Forwards the event message from the Audit Connector to the appropriate Collector. o Automatically creates Event Sources based on a user-configured auto configuration policy. Process Process Connector supports the following functionality: Starts and stops processes that connect to devices, for example, a custom-coded executable to pull event data from a proprietary event source. Captures Standard Output and Standard Error from processes. Restart the process if the process exits unexpectedly. Supports filtering feature to fetch specific events from the Standard Output and Standard Error of the process. 11 | P a g e

3.1.7

3.1.8

SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

Accept Collector TX message and feeds it to the Standard Input of the process. Raw Data: The complete "line" of text ready from stdout/err. The raw data is not manipulated.

3.1.9

SAP XAL This Connector is designed to provide data collection services using standard SAP protocols. Makes connections to SAP CCMS services through SAP BAPI protocols, using the sapjco3 libraries. Polls for alert data from a configured SAP CCMS Monitoring Tree node. Formats alerts as JSON records, and forwards them to the SAP CCMS Collector. Acknowledges received alerts. SNMP This SNMP Connector does the following: Starts and stops connector that subscribes to an SNMP server listening on a UDP port. Supports filtering to fetch specific events from the SNMP traps by applying the regex patterns on the input data at the Connector level. Can spawn multiple Trap receiver servers and multiplex the trap data into one collector. Supports multiple subscriptions from a single collector to one SNMP server. Supports SNMP v1, SNMP v2, and SNMP v3 trap messages. Supports SNMP traps other than public community. Supports character encoding. This is needed for receiving SNMP trap messages containing double-byte characters in languages such as Chinese, Japanese, and so forth. Raw Data Format: The values in the SNMP trap are in a Name Value Pair format. The format of the data in the SNMP trap is in a binary format. The raw data is manipulated so that it is human readable, but the individual values in the NVP are saved exactly as they are found in the original format. Sentinel Link The Sentinel Link Connector does the following: Sentinel Link Server Component: o Listens on HTTP or HTTPS ports for JSON messages (using an embedded Tomcat server).Content type for messages must be application/json or application/json-compressed. The application/json-compressed content type indicates that the message is compressed by using ZLIB compression. Compressed data must be in the ZLIB format. In addition, there must be an Uncompressed-Length header that contains the uncompressed length of the original data. The uncompressed JSON string must be a UTF-8 string. o Auto-instantiates event sources, event source groups (Connectors), and Collectors if required. 12 | P a g e

3.1.10

3.1.11

SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

o No parsing of the JSON is done. Un-tweaked messages are forwarded to event sources and event source groups. Sentinel Link Event Source Component: Forwards the event message (including both structure and content) from the Sentinel Link server to the Collector without modifications

3.1.12

Syslog The Syslog Connector does the following: Syslog Server Component: o Listens on TCP, UDP, or SSL (over TCP) ports for Syslog messages. o Parses incoming message looking for Syslog standard message components (Priority, Date, host name, and Message). o Inserts supplementary data using the RFC 3164 "BSD Syslog Protocol", if the message is missing Priority, Date, or host name. o Determines Facility and Severity from the Priority. o Filters messages sent to Syslog clients based on Facility and Severity. o Buffers Syslog messages in the memory and the file system to increase the reliability of message delivery. o Provides a secure channel with end devices (SSL over TCP) to collect data. Supports certificate based mutual authentication. o Supports TCP to reliably collect data from end devices. o Stores messages in a file base d persistent store. This helps Syslog Connector in handling high incoming event spikes, preventing event drop, reducing memory usage by off-loading events to File System, and retaining data in the event of a system crash. Syslog Client Component: o Forwards the event message (including both structure and content) from the Syslog server to the Collector without modifications. o Filters messages submitted to the Collector for parsing based on Syslog Severity, Facility, or message content. o Automatically creates Event Sources based on a user-configured autoconfiguration policy. Test Data Generator The Data Generator Connector does the following: Generates random test data at a specified rate per second that can be parsed by the Generic Event Collector. Raw Data Format: The generated message Windows Event (WMI) This Sentinel plug-in supports the following functionalities: Supports remote (agent-less) collection of Windows Event Logs. Supports collecting historical and real-time events from Windows Event Logs. 13 | P a g e

3.1.13

3.1.14

SecurView Confidential Private Use Only

EXT_SOC_DOC_Supported devices and connection methods Version 1.2

Supports collecting events from domain and non-domain environments. Supports fetching specific events (filtering) from the event logs. Collects data from different types of event logs such as Application, Security, and System. Supports event source synchronization with the Active Directory. Provides a secure channel (WMI) from WECS to event sources to collect data. Provides a secure channel (SSL over TCP) from WECS to Connector. Compresses (gZip) events sent from WECS to Connector. Ensures reliable event collection by using WMI. WECS reconnects to the event sources and Connectors in case the connection is lost.

4. Document Change Control

Issue Number 1.0 1.1 1.2 Issue Date
January 23, 2013 May 03, 2013 September 16, 2013

Changed By
Mahesh Patharkar Mahesh Patharkar Mahesh Patharkar

Details
Version 1.0 Version 1.1 Version 1.2

-End of Document-

14 | P a g e
SecurView Confidential Private Use Only