An example of integrating a corporate antivirus with a SIEM platform. Part 2

We continue to consider examples of integrating corporate antivirus with SIEM systems. This time we’ll talk about the possibilities of exporting information from antivirus to any third-party SIEM system.
In the first part of this article, we have already talked about what SIEM is , why it is needed and what advantages it provides for expert analysis of information security related events. In short, the SIEM system allows you to collect a huge amount of primary information from other applications and security systems (for example, firewall, antivirus, IDS / IPS, etc.), identification and access control systems, operating system, databases, etc. for processing these data for interconnection (correlation) and providing them in a form convenient for viewing and analysis.
Recently, more and more often they began to talk about SIEM systems, especially since for certain companies and organizations the availability of their own SIEM system becomes not only relevant, but also a prerequisite.
In order for the SIEM system to provide the most extensive and complete information, it is necessary that as many devices, objects and applications as possible “provide” it with primary information. It is clear that corporate antivirus is one of the main data providers here. But how to integrate it with a SIEM system?
Consider this issue on the example of cloud-based corporate antivirus Panda Adaptive Defense 360. In the firstIn part of the article, we considered the option of integrating antivirus with our own simplified SIEM-system Advanced Reporting Tool. In the second part of the article, we will consider the situation when it is necessary to integrate the antivirus with a third-party SIEM system (the user already has his own SIEM system or is planning to purchase a specific system).
SIEMFeeder
What is SIEMFeeder
SIEMFeeder is a special service developed by Panda Security to transfer information and knowledge from the corporate antivirus Adaptive Defense 360 to the corporate SIEM platform of third-party manufacturers.
The main goal of this service is to enrich the corporate SIEM platform with detailed information about the activity of each process running on corporate computers. As a result of this, the system administrator can get unprecedented visibility of everything that happens on the corporate network. SIEMFeeder facilitates the detection of unknown threats, targeted attacks to steal confidential corporate information, persistent threats of increased complexity (APT).
SIEMFeeder Architecture

SIEMFeeder collects information about the activity of each application and process running on the corporate network, thanks to continuous monitoring of the entire network by the corporate antivirus Adaptive Defense 360. This information in the Panda cloud platform with Big Data is automatically analyzed using artificial intelligence technologies to generate special security knowledge. As a result of this, each process that is started on each computer in the enterprise network is classified with an accuracy of about 99.999% and with practically zero false positives. After that, SIEMFeeder transfers this entire flow of information to the corporate SIEM server.
Moreover, to get the most out of SIEMFeeder, you do not need to make any changes to the settings of computers on your corporate network: the service works inside the Panda Security infrastructure.
The information flow is as follows:
• Computers on the corporate network protected by Adaptive Defense 360 automatically send information about each running process to the Panda cloud
• The Panda cloud receives information, processes it and adds special security knowledge
• SIEMFeeder service receives information from the Panda cloud and encapsulates it in the form of logs, which are then passed to the user
• sFTP server in the corporate network accepts logs from SIEMFeeder for temporary storage and subsequent transfer to the SIEM server.
In addition, the architecture contains firewalls on the perimeter of the corporate network and locally on computers on the network to protect incoming and outgoing traffic.
Implementation and Integration Requirements
In order to correctly integrate the integration of a corporate antivirus with a SIEM system as part of this example, the following requirements must be taken into account:
• implementation
requirements • SIEM system
requirements Implementation requirements
To implement and use SIEMFeeder, you need:
• computers on which Adaptive Defense 360 Enterprise Security Solution installed
• active license for SIEMFeeder
• sFTP server
• correctly configured firewall (built-in to Adaptive Defense 360 or third-party)
• sufficient bandwidth of the communication channel for receiving data
sFTP server
An sFTP server must be installed on the corporate network with the following characteristics:
• it must have Sufficient storage for information received from SIEMFeeder. Approximate size: 2 MB from each computer per day
• The sFTP server must support up to 10 simultaneous connections with the same account
• Connection of password-authenticated accounts
• time after which the data connection is disconnected if there is no data traffic: 20 minutes
Firewall settings
To establish a connection between SIEMFeeder and sFTP server, all intermediate firewalls must allow network traffic with the following characteristics:
• access via port 22 to sFTP server
• access from IP address 91.216.218.191
• transport layer protocol: TCP
• application layer protocol: SSH
• Connection type: incoming traffic to the corporate network
SIEM system requirements
Supported SIEM systems
For SIEM system compatibility with SIEMFeeder, it is necessary that it supports the following log formats: ArcSight Common Event Format (CEF) and QRadar Log Event Extended Format (LEEF).
SIEMFeeder can send data in either of these two formats (CEF or LEEF). The following is a limited list of SIEM servers that are compatible with the above formats (for example):
• AlienVault Unified Security Management (USM)
• Fortinet (AccelOps) FortiSIEM
• Hewlett Packard Enterprise (HPE) ArcSight
• QRadar Security Intelligence Platform (IBM)
• McAfee Enterprise Security Manager (ESM) (Intel Security)
• LogRhythm
• SolarWinds Log & Event Manager (LEM)
• Splunk Security Intelligence Platform
Configuring the SIEM server
To correctly configure the SIEM server, you must import the sFTP server as a data source and correctly compare the events and fields received from the SIEMFeeder (see below for more details on the transmitted data).
SIEMFeeder Availability
SIEMFeeder service is available around the clock in 24/7 format. Any possible pauses in the operation of this service will be previously notified to the administrator.
To prevent data loss in the event of a failure, inaccessibility of the user's sFTP server or as a result of any other errors, Panda Security saves the logs generated by SIEMFeeder until they are transmitted to the user (for a reasonable period of time).
Transmitted events and data
SIEMFeeder transforms information received from the Adaptive Defense 360 corporate antivirus into events. Thus, an event is the basic unit of information transmitted by SIEMFeeder.
Event Structure in SIEMFeeder

An event consists of a variable number of field-value pairs and one type / category of event. Field-value pairs depend on the type of event.
In addition, a preamble is added to the event with the information necessary to encapsulate the event in a log file compatible with CEF or LEEF. This information allows SIEM to correctly identify events in the form of compatible logs and include them in their repository.
Event group A log
file is a group of events transmitted to a SIEM server. These log files generated by SIEMFeeder are of different sizes and may contain one or more events belonging to different categories. In addition, events included in a single log file may contain information from one or more user computers.
Sequences and delays in receiving information
The maximum amount of time that can elapse from the moment when an event occurs on a user's computer until the moment information about him is delivered to the SIEM system is 20 minutes. Adaptive Defense 360 agents interact with the cloud every 10 minutes, after which the data is processed in the cloud and supplemented with special security knowledge, transformed into a log file and sent to the user's SIEM system using SIEMFeeder.
SIEMFeeder does not send log files in a predetermined sequence. However, all the logs contain a timestamp, which allows the SIEM server to precisely “arrange” events on the timeline.
SIEFFeeder CEF file format
As we mentioned earlier, SIEMFeeder can send information in two formats: CEF or LEEF.
The CEF format contains two data sections: a prefix or preamble that identifies the event category, and an extension section with fields and values. At the same time, SIEMFeeder does not include the syslog header in the CEF logs. Example:
CEF: 1 | Panda Security | paps | 02.43.00.0000 | registryc | 1 |
ClientId = Date = 2016-11-04 23: 47: 49.000087 MachineName = WIN-JNTIXXX MachineIP = xxx.219.203.xx User = NT AUTHORITY \ LOCAL SERVICE MUID = 33432C7635XXXX1ECE94F666D12XXXXX Op = CreateExeKey Hash = C78655BC4EF1DEF1D1EF1DEF1DEF1DEF1DEF1DEF1EF101DEF1EF101DEF1EF101DFECDEFEFE svchost.exe ValidSig = Company = Microsoft Corporation Broken = true ImageType = EXE 64 ExeType = Unknown Prevalence = High PrevLastDay = Low HeurFI = 67108872 Skeptic = AVDets = 0 JIDFI = 3431976 1NFI = 132943 JIDMW = 11197481 1NMW = 51537 = Cat5373711123 Goodware MWName = TargetPath = 0 | pune.com RegKey = \ REGISTRY \ MACHINE \ SYSTEM \ ControlSet001 \ services \ Tcpip \ Parameters? DhcpDomain
Prefix
CEF: 1 | Panda Security | paps | 02.43.00.0000 | registryc | 1 |
• CEF version (CEF: 1) : Log format and version identifier
• Device vendor (Panda Security): Name of service provider
• Product (paps) : Internal name of the software or device
• Signature ID (2.43.00.0000) : Protection version that generates the event
• Name (registryc) : Type of event sent
• Severity (1) : Criticality of the event. This value is always “1”, except for events with the alert type (alertmalware, alertpup, exploits). We will talk more about event types below.
Extensions
The extensions section contains various fields with different information depending on the Name field (event type).
Encoding
All log files sent by SIEMFeeder use UTF-8 encoding.
SIEFFeeder LEEF File Format
The LEEF format contains two data sections: the LEEF header, which identifies the event category, and the attribute section, which contains information about the event in the form of fields and values. At the same time, SIEMFeeder does not include the syslog header in the LEEF logs.
Example:
LEEF: 1.0 | Panda Security | paps | 02.43.00.0000 | registryc | sev = 1 devTime = 2016-09-22 15: 25: 11.000628 devTimeFormat = yyyy-MM-dd HH: mm: ss.SSS usrName = LOCAL SERVICE domain = NT AUTHORITY src = 10.219.202.149 identSrc = 10.219.202.149 identHostName = PXE68XXX HostName = PXE68XXX MUID = 1F109BA4E0XXXX37F9995D31FXXXX319 Op = CreateExeKey Hash = C78655BC80301D76ED4FEF1C1EA40A7D DriveType = Fixed Path = SYSTEM | \ svchost.exe ValidSig = Company = Microsoft Corporation Broken = true ImageType = EXE 64 ExeType = Unknown Prevalence = High PrevLastDay = Low HeurFI = 67108872 Skeptic = AVDets = 0 JIDFI = 3431993 1NFI = 116241 JIDMW = 11195630 1NMW = 4308325 Class = 100 Cat = Goodware MWName = TargetPath = 0 | pune.com Regreg MACHINE \ SYSTEM \ ControlSet001 \ services \ Tcpip \ Parameters? DhcpDomain LEEF
header
: 1.0 | Panda Security | paps | 02.43.00.0000 | registryc |
•LEEF version (LEEF: 1) : Log format and version identifier
• Vendor (Panda Security) : Name of service provider
• Product (paps) : Internal name of the software or device
• Version ID (2.43.00.0000) : The version of protection that generates the event
• Event Description ID (registryc) : Type of event sent
In the log files in LEEF format, the Severity event parameter is not transmitted in the header, but it is indicated in the section with attributes (“Sev = number” field)
Attributes
section The attributes section contains various fields with different information depending on the type of event.
Event Categories
The type of event received is displayed in the Name field in the prefix section (CEF format), or in the Event Description ID field in the header (LEEF format).
The following is a list of all possible events with explanations of their values, grouped by type:
Adaptive Defense 360 agent deployment
• install : agent installation
• upgrade : agent upgrade
• uninstalll : uninstall agent
Create an alert
• alertpup : An alert that is generated after a potentially unwanted program is detected (PUP) )
• alertmalware: Notification generated after detecting a malware sample
• exploits : Notification generated after detecting an exploit
Changes in the user's operating system
• hostfiles : hosts file has been changed
• monitoredregistry : Read access to the computer registry
• registrym : Changing the registry branch in order to to point to an executable file
• registryc : Create a branch in the registry that points to an executable
Process Processing
• createremotethread : A remote start thread has been created
• createprocess : A process has been created
• exec : process completed
• createpe : executable program created
• modifype : executable file changed
• renamepe : renamed executable file
• deletepe : executable program deleted
• loadlib : library
downloaded File download
• urldownload : file
accessed Data access
• createcmp : archived file created
• opencmp : Opened archive file
• monitoredopen : Access to controlled data files
•createdir : A folder was created in the file system
• socket : Network connection was established
Blocking information
• toast : Adaptive Defense showed a pop-up message
• notBlocked : The corresponding file was not scanned at boot time
• toastBlocked : Active Defense showed a pop-up message after blocking an unknown file
Event Structure and Field Syntax
SIEMFeeder describes each dispatched event using a field-value pair. Events in SIEMFeeder are divided into two types: active events and passive events.
Internal structure of active events
Most of the received events describe situations in which the parent process performs an action on the child process. The type of element that receives the action varies depending on the category of the event. Thus, a child may be:
• Another process : In events where a process is being downloaded / loaded, a library is loaded, etc.
• Executable file : In events where it is created, changed, the program is deleted
• System file: In events where manipulations with the hosts file, registry are performed
• Data file : In events where access to Office files, databases, etc.
• Downloadable file : In events where the process downloads data
• Archived file : In events, where the archived file is created, changed, deleted
• Folder : In the events where it is created, changed, the folder is deleted
Depending on its type, the event will or will not contain certain fields that describe the characteristics of the parent and child elements. For example, if the type of event is associated with the creation of the folder, then the fields associated with the event will describe the characteristics of the parent process (malware or not, process path, process meta-data, etc.), as well as the characteristics of the child process. However, in this case, since we are dealing with a folder, some event fields will be empty.
The internal structure of passive events
We are talking about events that in most cases do not have a clearly defined parent or child process. Passive events, for example, include the generation of alerts when a malicious program is detected, or the installation / modification / removal of an Adaptive Defense 360 agent.
Parent and child prefixes
Active processes that include two files or processes show Parent and Child prefixes to indicate what information the process belongs to:
• Parent : Fields starting with the Parent tag describe the attribute of the parent process
• Child : Fields starting with Child tags describe the attribute of the child process.
Other prefixes and affixes.
Many fields and values use abbreviations. Knowing their meaning, it is much easier to interpret the field in question:
• Sig : Digitally signed
• Exe and pe : Executable file
• Mw : Malicious program
• Sec: Seconds
• Op : Operation
• Cat : Category
• PUP : Potentially unwanted program
• Ver : Version
• SP : Service pack
• Cfg : Configuration
• Cmp and comp : Archived file
• Dst : Destination
Description of fields
Below is information about the available fields with the data that they contain.
action (number): Action taken by the Adaptive Defense agent
• Allow
• Block
• Pending blocking
alertType (number): Category of threat that triggered the alert
• Malicious program
• PUP
• Exploit
broken (Boolean) : File is corrupted or defective
cat (number) : Category of the file that performed the described operation
• Malicious program
• Malicious program
• PUP
• Unknown
• Monitoring
childBroken (Boolean): Child process is damaged or malfunctioning
childCat (number): Category of the child file that performed the described operation
• Malicious program
• Malicious program
• PUP
• Unknown
• Monitoring
childCompany (string): Contents of the Company attribute in the
metadata of the child process childDriveType (number): The type of disk on which it resides the child process / file that performed the described operation
• Fixed
• Remote
• Removable
childExeType (number): Internal structure / type of executable file
• Delphi
• DOTNET
• VisualC
• VB
• CBuilder
• Mingw
• Mssetup
• Setupfactory
• Lcc32
• Vc7setupproject
• Unknown
childHash (MD5): Hash of the child process
childImageType (number): Internal architecture of the child process
• EXEx32
• EXEx64
• DLLx32
• DLLx64
childMwname (string): Name of the malicious program if the child process is classified as a threat
• Null: object is not a malware
childPath (path string): Path to the child file that performed the described operation
childPrevalence (number): Frequency of the child process on Panda Security systems over their lifetime
• High
• Medium
• Low
childPrevLastDay (number): The frequency of the child process on Panda Security systems on the previous day
childValidSig (Boolean): The child process is digitally signed
clientCat (number): Object category stored in the Adaptive Defense agent cache
• Goodware
• Malware
• PUP
• Unknown
• Monitoring
clientId (number): User ID
company (string): Content of the Company attribute in the meta data of the
companyName process (string): Content of the Company attribute in the meta data of the vulnerable file
date (date): Date from the user's computer when the direction event was generated
(number): the network connection direction
• Outgoing
• Incoming
• Bi-directional
• Unknown
DriveType (number): Disc Type, which is the process / file that performed the described operation
• Fixed
• Remote
• Detachable
dstIp (the IP address): the IP-address of the recipient connections
dstIp6 (IPv6 address): IPv6 address of the recipient of the connection
dstPort (range 0-65535): Port of the recipient of the connection
dwellTimeSecs (seconds): Time in seconds since the first observation of the threat in the user's network
executionStatus (number): Indicates whether the detected one was launched threat
• Launched
•
exeType (number) is not running : Internal structure / type of executable file
• Delphi
• DOTNET
• VisualC
• VB
• CBuilder
• Mingw
• Mssetup
• Setupfactory
• Lcc32
• Vc7setupproject
• Unknown
fileName (string): Name of vulnerable file
filePath (string): Full path to vulnerable file
fileVersion (string): Contents of the Version attribute in the meta-data of the vulnerable
hash file (MD5) :
ImageType (number) file hash : Internal process architecture
• EXEx32
• EXEx64
• DLLx32
• DLLx64
internalName(string): The content of the Name attribute in the meta-data of the vulnerable file
itemHash (MD5 string) : Hash of the
detected threat or vulnerable itemName (string) : Name of the detected threat
itemPath (path string) : Full path to the file that contains the
key (string ) : Branch or key of the affected registry
localCat (number) : Object category calculated by the Adaptive Defense agent
• Goodware
• Malware
• PUP
• Unknown
• Monitoring
loggedUser (string) : The user authorized in the system during the generation of the
machine event : Name of the computer of the user who performed the described operation
machineIP (IP address) : IP address of the computer of the user who performed the described operation
machineIP1 (IP address) : IP-alias of the computer of the user who performed the described operation
machineIP2 (IP address) : IP-alias of the computer of the user who performed the described
machineIP3 ( IP address) : IP alias of the computer of the user who performed the described operation
machineIP4 (IP address) : IP alias of the computer of the user who performed the described operation
machineIP5 (IP address) : IP alias of the computer of the user who performed the described
machineName (string) operation : Name com yutera user who performed the operation described
muid (String, format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) : Internal client computer ID
numCacheClassifiedElements (number) : Number of objects classified in the Adaptive Defense cache
mwName (string) : Name of the malicious sample if the object is cataloged as a threat
• Null : The item is not malware
op (number): Operation performed by the process
• Install
• Uninstall
• Upgrade
• CreateDir
• Exec
• CreatePE
• DeletePE
• LoadLib
• OpenCmp
• RenamePE
• CreateCmp
osPlatform(number): Platform of the operating system installed on the user's computer
• WIN32
• WIN64
osSP (string) : Service pack of the operating system installed on the user's computer
osVer (string) : Version of the operating system installed on the user's computer
path (path string) : The path to an object that performed the operation described by
the params (: string) : The parameters of a process
parentBroken (Boolean a) : The parent process is damaged or defective
parentCat (number) : Category parent file that describe the operations performed
• non-malicious program
• Vredono naya Program
• ANP
• Unknown
• Monitoring
parentCompany (string) : The content of the Company attribute in the
metadata of the parent process parentDriveType (number): The type of disk on which the parent process / file that performed the described operation is located
• Fixed
• Remote
• Removable
parentExeType (number): Internal parent process structure / type
• Delphi
• DOTNET
• VisualC
• VB
• CBuilder
• Mingw
• Mssetup
• Setupfactory
• Lcc32
• Vc7setupproject
• Unknown
parentHash (MD5) : Hash of the parent process
parentImageType(number): Internal architecture of the parent process
• EXEx32
• EXEx64
• DLLx32
• DLLx64
parentMwname (string): Name of the malware if the parent process is classified as a threat
• Null: The object is not malware
parentPath (path string): Path to the parent file, who performed the described operation
parentPrevalence (number): The frequency of the parent process in Panda Security systems over their lifetime
• High
• Medium
• Low
parentPrevLastDay (number): The frequency of the parent process in Panda Security systems over the previous day
parentValidSig(Boolean): The parent process is digitally signed
Port (0-65535) : Communication port used by the process
Prevalence (number): Frequency of the process in Panda Security systems over their lifetime
• High
• Medium
• Low
prevLastDay (number): Frequency of occurrence process on Panda Security systems for the previous day
• High
• Medium
• Low
productVersion (string): Contents of the ProductVersion attribute in the meta data of the vulnerable file
protocol (number): Communication protocol used by the process
• TCP
• UDP
• ICMP
• ICMPv6
• IGMP
• RF
regAction (number): Type of operation performed in the computer registry
• CreateKey
• CreateValue
• ModifyValue
regKey (string): registry key
responseCat (number): File category returned by the cloud
• Unknown = 0
• Malicious program = 1
• Malicious program = 2
• Suspicious file = 3
• Compromised file = 4
• Unconfirmed non-malicious program = 5
• PUP = 6
• Unwanted non-malicious program = 7
serverdate : Date from the user's computer when the serviceDriveType event was generated
(number): The type of disk on which the driver receiving the action
sonFirstSeen (date) is located: The time the object was first detected that caused the pop-up message to
appear sonLastQuery (date): The time the process that caused the pop-up message to appear on the user's computer for the last time sent a request to the cloud
targetPath (path string): Path to the executable referenced by the
toastResult (number) registry branch : User response to the pop-up message shown by the Adaptive Defense solution
• OK: The user received the message
• Timeout: Pop-up message stopped showing due to lack of action on the part of the user for a set period of time
• User rejected the blocking action
• Block
• Allow
user (string): User account used by the process that performed the described operation
url (URL string): URL to download caused by the process that generated the described event
validSig (Boolean): Process, digitally signed
value (string): Name of the changed value in the registry key
valueData (string): Contents of the registry key value
ver (string): Agent version Adaptive Defense
version (string): Agent version Adaptive Defense
winningTech (number): The technology that generated event
• Unknown
• Cache
• Cloud
• Context
• Serializer
• User
• Legacyuser
• Netnative
• certifUA
Conclusion
Adaptive Defense 360 is able to automatically and practically in real time transfer a huge amount of information about all processes monitored on computers in the corporate network to a third-party SIEM system. In turn, the SIEM system allows you to instantly provide processed expert information in a digestible form so that the user can make effective decisions to counter malicious and unauthorized actions, minimize security risks and prevent corporate data leakage. In addition, SIEM systems can be used to thoroughly investigate information security incidents to establish what, where, when, how, and with whom it happened.
However, even if the enterprise already has a corporate antivirus, a separate Adaptive Defense product can be used as a “collector” of a huge amount of primary information with its subsequent automatic uploading to SIEM without affecting computer performance. Despite the fact that Adaptive Defense will be extremely useful as a “defender” against unknown threats, targeted attacks and encryptors, working in parallel with the existing corporate antivirus.
In a huge stream of information, it is difficult to quickly record and track everything that is needed. And in this regard, the integration of corporate antivirus with SIEM-system can help a lot.
We offer to evaluate the capabilities of Adaptive Defense 360 using the demo console (without the need to install the product).
The demo console is designed to demonstrate Panda Adaptive Defense 360, which already has certain information on the settings of users, profiles, etc., which allows you to evaluate the console in a mode as close as possible to real work.
Access to the demo console: demologin.pandasecurity.com
Login: [email protected]
Password: DRUSSIAN # 123
Note: Changes to the product settings that were made when viewing the demo console are reset daily.