Back to Home

An example of integrating a corporate antivirus with a SIEM platform. Part 2

We continue to consider examples of integrating corporate antivirus with SIEM systems. This time we’ll talk about the possibilities of exporting information from antivirus to any third-party ...

An example of integrating a corporate antivirus with a SIEM platform. Part 2



    We continue to consider examples of integrating corporate antivirus with SIEM systems. This time we’ll talk about the possibilities of exporting information from antivirus to any third-party SIEM system.

    In the first part of this article, we have already talked about what SIEM is , why it is needed and what advantages it provides for expert analysis of information security related events. In short, the SIEM system allows you to collect a huge amount of primary information from other applications and security systems (for example, firewall, antivirus, IDS / IPS, etc.), identification and access control systems, operating system, databases, etc. for processing these data for interconnection (correlation) and providing them in a form convenient for viewing and analysis.

    Recently, more and more often they began to talk about SIEM systems, especially since for certain companies and organizations the availability of their own SIEM system becomes not only relevant, but also a prerequisite.

    In order for the SIEM system to provide the most extensive and complete information, it is necessary that as many devices, objects and applications as possible “provide” it with primary information. It is clear that corporate antivirus is one of the main data providers here. But how to integrate it with a SIEM system?

    Consider this issue on the example of cloud-based corporate antivirus Panda Adaptive Defense 360. In the firstIn part of the article, we considered the option of integrating antivirus with our own simplified SIEM-system Advanced Reporting Tool. In the second part of the article, we will consider the situation when it is necessary to integrate the antivirus with a third-party SIEM system (the user already has his own SIEM system or is planning to purchase a specific system).

    SIEMFeeder


    What is SIEMFeeder

    SIEMFeeder is a special service developed by Panda Security to transfer information and knowledge from the corporate antivirus Adaptive Defense 360 ​​to the corporate SIEM platform of third-party manufacturers.

    The main goal of this service is to enrich the corporate SIEM platform with detailed information about the activity of each process running on corporate computers. As a result of this, the system administrator can get unprecedented visibility of everything that happens on the corporate network. SIEMFeeder facilitates the detection of unknown threats, targeted attacks to steal confidential corporate information, persistent threats of increased complexity (APT).

    SIEMFeeder Architecture



    SIEMFeeder collects information about the activity of each application and process running on the corporate network, thanks to continuous monitoring of the entire network by the corporate antivirus Adaptive Defense 360. This information in the Panda cloud platform with Big Data is automatically analyzed using artificial intelligence technologies to generate special security knowledge. As a result of this, each process that is started on each computer in the enterprise network is classified with an accuracy of about 99.999% and with practically zero false positives. After that, SIEMFeeder transfers this entire flow of information to the corporate SIEM server.

    Moreover, to get the most out of SIEMFeeder, you do not need to make any changes to the settings of computers on your corporate network: the service works inside the Panda Security infrastructure.

    The information flow is as follows:

    • Computers on the corporate network protected by Adaptive Defense 360 automatically send information about each running process to the Panda cloud
    • The Panda cloud receives information, processes it and adds special security knowledge
    • SIEMFeeder service receives information from the Panda cloud and encapsulates it in the form of logs, which are then passed to the user
    • sFTP server in the corporate network accepts logs from SIEMFeeder for temporary storage and subsequent transfer to the SIEM server.

    In addition, the architecture contains firewalls on the perimeter of the corporate network and locally on computers on the network to protect incoming and outgoing traffic.

    Implementation and Integration Requirements

    In order to correctly integrate the integration of a corporate antivirus with a SIEM system as part of this example, the following requirements must be taken into account:

    • implementation
    requirements • SIEM system

    requirements Implementation requirements

    To implement and use SIEMFeeder, you need:

    • computers on which Adaptive Defense 360 ​​Enterprise Security Solution installed
    • active license for SIEMFeeder
    • sFTP server
    • correctly configured firewall (built-in to Adaptive Defense 360 ​​or third-party)
    • sufficient bandwidth of the communication channel for receiving data

    sFTP server

    An sFTP server must be installed on the corporate network with the following characteristics:

    • it must have Sufficient storage for information received from SIEMFeeder. Approximate size: 2 MB from each computer per day
    • The sFTP server must support up to 10 simultaneous connections with the same account
    • Connection of password-authenticated accounts
    • time after which the data connection is disconnected if there is no data traffic: 20 minutes

    Firewall settings

    To establish a connection between SIEMFeeder and sFTP server, all intermediate firewalls must allow network traffic with the following characteristics:

    • access via port 22 to sFTP server
    • access from IP address 91.216.218.191
    • transport layer protocol: TCP
    • application layer protocol: SSH
    • Connection type: incoming traffic to the corporate network

    SIEM system requirements


    Supported SIEM systems

    For SIEM system compatibility with SIEMFeeder, it is necessary that it supports the following log formats: ArcSight Common Event Format (CEF) and QRadar Log Event Extended Format (LEEF).

    SIEMFeeder can send data in either of these two formats (CEF or LEEF). The following is a limited list of SIEM servers that are compatible with the above formats (for example):

    • AlienVault Unified Security Management (USM)
    • Fortinet (AccelOps) FortiSIEM
    • Hewlett Packard Enterprise (HPE) ArcSight
    • QRadar Security Intelligence Platform (IBM)
    • McAfee Enterprise Security Manager (ESM) (Intel Security)
    • LogRhythm
    • SolarWinds Log & Event Manager (LEM)
    • Splunk Security Intelligence Platform

    Configuring the SIEM server

    To correctly configure the SIEM server, you must import the sFTP server as a data source and correctly compare the events and fields received from the SIEMFeeder (see below for more details on the transmitted data).

    SIEMFeeder Availability


    SIEMFeeder service is available around the clock in 24/7 format. Any possible pauses in the operation of this service will be previously notified to the administrator.

    To prevent data loss in the event of a failure, inaccessibility of the user's sFTP server or as a result of any other errors, Panda Security saves the logs generated by SIEMFeeder until they are transmitted to the user (for a reasonable period of time).

    Transmitted events and data


    SIEMFeeder transforms information received from the Adaptive Defense 360 ​​corporate antivirus into events. Thus, an event is the basic unit of information transmitted by SIEMFeeder.

    Event Structure in SIEMFeeder





    An event consists of a variable number of field-value pairs and one type / category of event. Field-value pairs depend on the type of event.
    In addition, a preamble is added to the event with the information necessary to encapsulate the event in a log file compatible with CEF or LEEF. This information allows SIEM to correctly identify events in the form of compatible logs and include them in their repository.

    Event group A log

    file is a group of events transmitted to a SIEM server. These log files generated by SIEMFeeder are of different sizes and may contain one or more events belonging to different categories. In addition, events included in a single log file may contain information from one or more user computers.

    Sequences and delays in receiving information

    The maximum amount of time that can elapse from the moment when an event occurs on a user's computer until the moment information about him is delivered to the SIEM system is 20 minutes. Adaptive Defense 360 ​​agents interact with the cloud every 10 minutes, after which the data is processed in the cloud and supplemented with special security knowledge, transformed into a log file and sent to the user's SIEM system using SIEMFeeder.

    SIEMFeeder does not send log files in a predetermined sequence. However, all the logs contain a timestamp, which allows the SIEM server to precisely “arrange” events on the timeline.

    SIEFFeeder CEF file format

    As we mentioned earlier, SIEMFeeder can send information in two formats: CEF or LEEF.

    The CEF format contains two data sections: a prefix or preamble that identifies the event category, and an extension section with fields and values. At the same time, SIEMFeeder does not include the syslog header in the CEF logs. Example:

    CEF: 1 | Panda Security | paps | 02.43.00.0000 | registryc | 1 |
    ClientId = Date = 2016-11-04 23: 47: 49.000087 MachineName = WIN-JNTIXXX MachineIP = xxx.219.203.xx User = NT AUTHORITY \ LOCAL SERVICE MUID = 33432C7635XXXX1ECE94F666D12XXXXX Op = CreateExeKey Hash = C78655BC4EF1DEF1D1EF1DEF1DEF1DEF1DEF1DEF1EF101DEF1EF101DEF1EF101DFECDEFEFE svchost.exe ValidSig = Company = Microsoft Corporation Broken = true ImageType = EXE 64 ExeType = Unknown Prevalence = High PrevLastDay = Low HeurFI = 67108872 Skeptic = AVDets = 0 JIDFI = 3431976 1NFI = 132943 JIDMW = 11197481 1NMW = 51537 = Cat5373711123 Goodware MWName = TargetPath = 0 | pune.com RegKey = \ REGISTRY \ MACHINE \ SYSTEM \ ControlSet001 \ services \ Tcpip \ Parameters? DhcpDomain

    Prefix

    CEF: 1 | Panda Security | paps | 02.43.00.0000 | registryc | 1 |

    CEF version (CEF: 1) : Log format and version identifier
    Device vendor (Panda Security): Name of service provider
    Product (paps) : Internal name of the software or device
    Signature ID (2.43.00.0000) : Protection version that generates the event
    Name (registryc) : Type of event sent
    Severity (1) : Criticality of the event. This value is always “1”, except for events with the alert type (alertmalware, alertpup, exploits). We will talk more about event types below.

    Extensions

    The extensions section contains various fields with different information depending on the Name field (event type).

    Encoding
    All log files sent by SIEMFeeder use UTF-8 encoding.

    SIEFFeeder LEEF File Format


    The LEEF format contains two data sections: the LEEF header, which identifies the event category, and the attribute section, which contains information about the event in the form of fields and values. At the same time, SIEMFeeder does not include the syslog header in the LEEF logs.

    Example:

    LEEF: 1.0 | Panda Security | paps | 02.43.00.0000 | registryc | sev = 1 devTime = 2016-09-22 15: 25: 11.000628 devTimeFormat = yyyy-MM-dd HH: mm: ss.SSS usrName = LOCAL SERVICE domain = NT AUTHORITY src = 10.219.202.149 identSrc = 10.219.202.149 identHostName = PXE68XXX HostName = PXE68XXX MUID = 1F109BA4E0XXXX37F9995D31FXXXX319 Op = CreateExeKey Hash = C78655BC80301D76ED4FEF1C1EA40A7D DriveType = Fixed Path = SYSTEM | \ svchost.exe ValidSig = Company = Microsoft Corporation Broken = true ImageType = EXE 64 ExeType = Unknown Prevalence = High PrevLastDay = Low HeurFI = 67108872 Skeptic = AVDets = 0 JIDFI = 3431993 1NFI = 116241 JIDMW = 11195630 1NMW = 4308325 Class = 100 Cat = Goodware MWName = TargetPath = 0 | pune.com Regreg MACHINE \ SYSTEM \ ControlSet001 \ services \ Tcpip \ Parameters? DhcpDomain LEEF

    header
    : 1.0 | Panda Security | paps | 02.43.00.0000 | registryc |

    LEEF version (LEEF: 1) : Log format and version identifier
    Vendor (Panda Security) : Name of service provider
    Product (paps) : Internal name of the software or device
    Version ID (2.43.00.0000) : The version of protection that generates the event
    Event Description ID (registryc) : Type of event sent

    In the log files in LEEF format, the Severity event parameter is not transmitted in the header, but it is indicated in the section with attributes (“Sev = number” field)

    Attributes

    section The attributes section contains various fields with different information depending on the type of event.

    Event Categories


    The type of event received is displayed in the Name field in the prefix section (CEF format), or in the Event Description ID field in the header (LEEF format).

    The following is a list of all possible events with explanations of their values, grouped by type:

    Adaptive Defense 360 agent deployment

    install : agent installation
    upgrade : agent upgrade
    uninstalll : uninstall agent

    Create an alert

    alertpup : An alert that is generated after a potentially unwanted program is detected (PUP) )
    alertmalware: Notification generated after detecting a malware sample
    exploits : Notification generated after detecting an exploit

    Changes in the user's operating system

    hostfiles : hosts file has been changed
    monitoredregistry : Read access to the computer registry
    registrym : Changing the registry branch in order to to point to an executable file
    registryc : Create a branch in the registry that points to an executable

    Process Processing

    createremotethread : A remote start thread has been created
    createprocess : A process has been created
    exec : process completed
    createpe : executable program created
    modifype : executable file changed
    renamepe : renamed executable file
    deletepe : executable program deleted
    loadlib : library

    downloaded File download

    urldownload : file

    accessed Data access

    createcmp : archived file created
    opencmp : Opened archive file
    monitoredopen : Access to controlled data files
    createdir : A folder was created in the file system
    socket : Network connection was established

    Blocking information

    toast : Adaptive Defense showed a pop-up message
    notBlocked : The corresponding file was not scanned at boot time
    toastBlocked : Active Defense showed a pop-up message after blocking an unknown file

    Event Structure and Field Syntax


    SIEMFeeder describes each dispatched event using a field-value pair. Events in SIEMFeeder are divided into two types: active events and passive events.

    Internal structure of active events

    Most of the received events describe situations in which the parent process performs an action on the child process. The type of element that receives the action varies depending on the category of the event. Thus, a child may be:

    Another process : In events where a process is being downloaded / loaded, a library is loaded, etc.
    Executable file : In events where it is created, changed, the program is deleted
    System file: In events where manipulations with the hosts file, registry are performed
    Data file : In events where access to Office files, databases, etc.
    Downloadable file : In events where the process downloads data
    Archived file : In events, where the archived file is created, changed, deleted
    Folder : In the events where it is created, changed, the folder is deleted

    Depending on its type, the event will or will not contain certain fields that describe the characteristics of the parent and child elements. For example, if the type of event is associated with the creation of the folder, then the fields associated with the event will describe the characteristics of the parent process (malware or not, process path, process meta-data, etc.), as well as the characteristics of the child process. However, in this case, since we are dealing with a folder, some event fields will be empty.

    The internal structure of passive events

    We are talking about events that in most cases do not have a clearly defined parent or child process. Passive events, for example, include the generation of alerts when a malicious program is detected, or the installation / modification / removal of an Adaptive Defense 360 ​​agent.

    Parent and child prefixes

    Active processes that include two files or processes show Parent and Child prefixes to indicate what information the process belongs to:

    Parent : Fields starting with the Parent tag describe the attribute of the parent process
    Child : Fields starting with Child tags describe the attribute of the child process.

    Other prefixes and affixes.

    Many fields and values ​​use abbreviations. Knowing their meaning, it is much easier to interpret the field in question:

    Sig : Digitally signed
    Exe and pe : Executable file
    Mw : Malicious program
    Sec: Seconds
    Op : Operation
    Cat : Category
    PUP : Potentially unwanted program
    Ver : Version
    SP : Service pack
    Cfg : Configuration
    Cmp and comp : Archived file
    Dst : Destination

    Description of fields


    Below is information about the available fields with the data that they contain.
    action (number): Action taken by the Adaptive Defense agent

    • Allow
    • Block
    • Pending blocking

    alertType (number): Category of threat that triggered the alert
    • Malicious program
    • PUP
    • Exploit

    broken (Boolean) : File is corrupted or defective

    cat (number) : Category of the file that performed the described operation
    • Malicious program
    • Malicious program
    • PUP
    • Unknown
    • Monitoring

    childBroken (Boolean): Child process is damaged or malfunctioning

    childCat (number): Category of the child file that performed the described operation
    • Malicious program
    • Malicious program
    • PUP
    • Unknown
    • Monitoring

    childCompany (string): Contents of the Company attribute in the
    metadata of the child process childDriveType (number): The type of disk on which it resides the child process / file that performed the described operation

    • Fixed
    • Remote
    • Removable

    childExeType (number): Internal structure / type of executable file

    • Delphi
    • DOTNET
    • VisualC
    • VB
    • CBuilder
    • Mingw
    • Mssetup
    • Setupfactory
    • Lcc32
    • Vc7setupproject
    • Unknown

    childHash (MD5): Hash of the child process
    childImageType (number): Internal architecture of the child process

    • EXEx32
    • EXEx64
    • DLLx32
    • DLLx64

    childMwname (string): Name of the malicious program if the child process is classified as a threat
    • Null: object is not a malware

    childPath (path string): Path to the child file that performed the described operation
    childPrevalence (number): Frequency of the child process on Panda Security systems over their lifetime

    • High
    • Medium
    • Low

    childPrevLastDay (number): The frequency of the child process on Panda Security systems on the previous day
    childValidSig (Boolean): The child process is digitally signed
    clientCat (number): Object category stored in the Adaptive Defense agent cache

    • Goodware
    • Malware
    • PUP
    • Unknown
    • Monitoring

    clientId (number): User ID
    company (string): Content of the Company attribute in the meta data of the
    companyName process (string): Content of the Company attribute in the meta data of the vulnerable file
    date (date): Date from the user's computer when the direction event was generated
    (number): the network connection direction

    • Outgoing
    • Incoming
    • Bi-directional
    • Unknown

    DriveType (number): Disc Type, which is the process / file that performed the described operation

    • Fixed
    • Remote
    • Detachable

    dstIp (the IP address): the IP-address of the recipient connections
    dstIp6 (IPv6 address): IPv6 address of the recipient of the connection
    dstPort (range 0-65535): Port of the recipient of the connection
    dwellTimeSecs (seconds): Time in seconds since the first observation of the threat in the user's network
    executionStatus (number): Indicates whether the detected one was launched threat

    • Launched


    exeType (number) is not running : Internal structure / type of executable file
    • Delphi
    • DOTNET
    • VisualC
    • VB
    • CBuilder
    • Mingw
    • Mssetup
    • Setupfactory
    • Lcc32
    • Vc7setupproject
    • Unknown

    fileName (string): Name of vulnerable file
    filePath (string): Full path to vulnerable file
    fileVersion (string): Contents of the Version attribute in the meta-data of the vulnerable
    hash file (MD5) :
    ImageType (number) file hash : Internal process architecture

    • EXEx32
    • EXEx64
    • DLLx32
    • DLLx64

    internalName(string): The content of the Name attribute in the meta-data of the vulnerable file
    itemHash (MD5 string) : Hash of the
    detected threat or vulnerable itemName (string) : Name of the detected threat
    itemPath (path string) : Full path to the file that contains the
    key (string ) : Branch or key of the affected registry
    localCat (number) : Object category calculated by the Adaptive Defense agent

    • Goodware
    • Malware
    • PUP
    • Unknown
    • Monitoring

    loggedUser (string) : The user authorized in the system during the generation of the
    machine event : Name of the computer of the user who performed the described operation
    machineIP (IP address) : IP address of the computer of the user who performed the described operation
    machineIP1 (IP address) : IP-alias of the computer of the user who performed the described operation
    machineIP2 (IP address) : IP-alias of the computer of the user who performed the described
    machineIP3 ( IP address) : IP alias of the computer of the user who performed the described operation
    machineIP4 (IP address) : IP alias of the computer of the user who performed the described operation
    machineIP5 (IP address) : IP alias of the computer of the user who performed the described
    machineName (string) operation : Name com yutera user who performed the operation described
    muid (String, format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) : Internal client computer ID
    numCacheClassifiedElements (number) : Number of objects classified in the Adaptive Defense cache
    mwName (string) : Name of the malicious sample if the object is cataloged as a threat

    Null : The item is not malware
    op (number): Operation performed by the process
    • Install
    • Uninstall
    • Upgrade
    • CreateDir
    • Exec
    • CreatePE
    • DeletePE
    • LoadLib
    • OpenCmp
    • RenamePE
    • CreateCmp

    osPlatform(number): Platform of the operating system installed on the user's computer

    • WIN32
    • WIN64

    osSP (string) : Service pack of the operating system installed on the user's computer
    osVer (string) : Version of the operating system installed on the user's computer
    path (path string) : The path to an object that performed the operation described by
    the params (: string) : The parameters of a process
    parentBroken (Boolean a) : The parent process is damaged or defective
    parentCat (number) : Category parent file that describe the operations performed

    • non-malicious program
    • Vredono naya Program
    • ANP
    • Unknown
    • Monitoring

    parentCompany (string) : The content of the Company attribute in the

    metadata of the parent process parentDriveType (number): The type of disk on which the parent process / file that performed the described operation is located

    • Fixed
    • Remote
    • Removable

    parentExeType (number): Internal parent process structure / type

    • Delphi
    • DOTNET
    • VisualC
    • VB
    • CBuilder
    • Mingw
    • Mssetup
    • Setupfactory
    • Lcc32
    • Vc7setupproject
    • Unknown

    parentHash (MD5) : Hash of the parent process
    parentImageType(number): Internal architecture of the parent process

    • EXEx32
    • EXEx64
    • DLLx32
    • DLLx64

    parentMwname (string): Name of the malware if the parent process is classified as a threat

    • Null: The object is not malware
    parentPath (path string): Path to the parent file, who performed the described operation

    parentPrevalence (number): The frequency of the parent process in Panda Security systems over their lifetime

    • High
    • Medium
    • Low

    parentPrevLastDay (number): The frequency of the parent process in Panda Security systems over the previous day

    parentValidSig(Boolean): The parent process is digitally signed

    Port (0-65535) : Communication port used by the process
    Prevalence (number): Frequency of the process in Panda Security systems over their lifetime

    • High
    • Medium
    • Low

    prevLastDay (number): Frequency of occurrence process on Panda Security systems for the previous day

    • High
    • Medium
    • Low

    productVersion (string): Contents of the ProductVersion attribute in the meta data of the vulnerable file
    protocol (number): Communication protocol used by the process

    • TCP
    • UDP
    • ICMP
    • ICMPv6
    • IGMP
    • RF

    regAction (number): Type of operation performed in the computer registry
    • CreateKey
    • CreateValue
    • ModifyValue

    regKey (string): registry key
    responseCat (number): File category returned by the cloud

    • Unknown = 0
    • Malicious program = 1
    • Malicious program = 2
    • Suspicious file = 3
    • Compromised file = 4
    • Unconfirmed non-malicious program = 5
    • PUP = 6
    • Unwanted non-malicious program = 7

    serverdate : Date from the user's computer when the serviceDriveType event was generated
    (number): The type of disk on which the driver receiving the action
    sonFirstSeen (date) is located: The time the object was first detected that caused the pop-up message to
    appear sonLastQuery (date): The time the process that caused the pop-up message to appear on the user's computer for the last time sent a request to the cloud
    targetPath (path string): Path to the executable referenced by the
    toastResult (number) registry branch : User response to the pop-up message shown by the Adaptive Defense solution

    • OK: The user received the message
    • Timeout: Pop-up message stopped showing due to lack of action on the part of the user for a set period of time
    • User rejected the blocking action
    • Block
    • Allow

    user (string): User account used by the process that performed the described operation
    url (URL string): URL to download caused by the process that generated the described event
    validSig (Boolean): Process, digitally signed
    value (string): Name of the changed value in the registry key
    valueData (string): Contents of the registry key value
    ver (string): Agent version Adaptive Defense
    version (string): Agent version Adaptive Defense
    winningTech (number): The technology that generated event

    • Unknown
    • Cache
    • Cloud
    • Context
    • Serializer
    • User
    • Legacyuser
    • Netnative
    • certifUA

    Conclusion


    Adaptive Defense 360 ​​is able to automatically and practically in real time transfer a huge amount of information about all processes monitored on computers in the corporate network to a third-party SIEM system. In turn, the SIEM system allows you to instantly provide processed expert information in a digestible form so that the user can make effective decisions to counter malicious and unauthorized actions, minimize security risks and prevent corporate data leakage. In addition, SIEM systems can be used to thoroughly investigate information security incidents to establish what, where, when, how, and with whom it happened.

    However, even if the enterprise already has a corporate antivirus, a separate Adaptive Defense product can be used as a “collector” of a huge amount of primary information with its subsequent automatic uploading to SIEM without affecting computer performance. Despite the fact that Adaptive Defense will be extremely useful as a “defender” against unknown threats, targeted attacks and encryptors, working in parallel with the existing corporate antivirus.

    In a huge stream of information, it is difficult to quickly record and track everything that is needed. And in this regard, the integration of corporate antivirus with SIEM-system can help a lot.

    We offer to evaluate the capabilities of Adaptive Defense 360 using the demo console (without the need to install the product).

    The demo console is designed to demonstrate Panda Adaptive Defense 360, which already has certain information on the settings of users, profiles, etc., which allows you to evaluate the console in a mode as close as possible to real work.

    Access to the demo console: demologin.pandasecurity.com
    Login: [email protected]
    Password: DRUSSIAN # 123

    Note: Changes to the product settings that were made when viewing the demo console are reset daily.

    Read Next