Foresight Analytics Platform supports work with security information and event management systems (SIEM systems).
A ready solution based on Foresight Analytics Platform can be integrated via an application system using a tool for real time analysis of running events and timely response to security threats in information systems.
NOTE. SIEM systems are not included in the software package of Foresight Analytics Platform.
SIEM systems are based on the concept that information system security data is collected from different sources, and the result of data processing is displayed in an unified interface that is available for security data analysts, which makes it easier to analyze characteristics that are inherent to security incidents.
One of the main objectives of SIEM systems use is increasing information security in the existing architecture by ensuring the ability to execute anticipatory management of incidents and security events almost in real time.
Work with security information and event management systems is aimed at solving the following tasks:
Collection, processing and analysis of security events received by the system from various sources.
Detection of attacks and violations of security criteria and policies in real time.
Timely assessment of degree of security of information, telecommunication and other critically important resources.
Analysis and management of security risks.
Investigation of incidents.
Taking effective information protection solutions.
Creation of reporting documents.
An access protocol can be used for integration.
A security information and event management system is installed and set up by the system administrator.
A security information and event management is deployed in the environment. When planning and deploying an application, the environment system administrator must use administrator guides provided by corresponding SIEM system vendors.
Integration with third-party SIEM systems is supported via CEF files and forwarding CEF security event messages in real time via the syslog protocol.
The security auditing log of Foresight Analytics Platform is stored in a database in internal format.
To export the file, use the security manager or the task scheduler.
In the security manager:
Open the security manager as an administrator.
Go to the Access Protocol tab.
Save the access protocol to file:
In the desktop application select the Access Protocol > Save to File > Full Protocol/Current View main menu item.
In the web application click the Export button on the toolbar.
The standard dialog box opens, in which specify:
File name.
File type. To export the full protocol, select the Access Protocol Files (*.cef) type. To export the current view, select the CEF (*.cef) type.
File location.
Click the Save button.
In the task scheduler:
Create a Fore unit using the IAuditLog.Archive or IAuditLog.ArchiveToDate methods.
Create a assembly execution task, specify the created unit and set up task execution frequency.
Start the task for execution.
Then set up file import by means of SIEM server.
For details about creating an event parsing decoder see the Example of Data Import to Wazuh article.
To forward auditing messages to syslog server, set up:
The settings.xml file.
The priority of settings search:
settings.xml.
The [HKEY_CURRENT_USER] key.
The [HKEY_LOCAL_MACHINE] key.
If the SysLogServer section has been found during the search in the source, it is assumed that settings are read successfully event if the section is empty or contains incorrect records. Other sources are not searched. If any of parameters is absent in the source, default values are taken:
Active = False
Host = 127.0.0.1
Port = 514
Protocol = 0
All access protocol events are divided into groups. Events use different sets of fields depending on the group.
The CEF file consists of a set of events, each event is written as a text string. Each event string consists of a title and a set of fields. The title starts from CEF:0| and ends with |AuditLog|Unknown|. The title also contains a group.
The FAP_EV_LOGONS group – logon/logoff events
The FAP_EV_VCS_OPERATIONS group – VCS events
The FAP_EV_SECURITY_OPERATIONS – security events
The FAP_EV_OBJECTS_SECURITY_OPERATIONS group – object security events
The FAP_EV_UPDATE_OPERATIONS group – updates
The FAP_EV_OBJECT_OPERATIONS group – operations with objects
The FAP_EV_DICT_ELEMS_OPERATIONS group – operations with MDM dictionary elements
The FAP_EV_EXPORT_IMPORT_OPERATIONS group – import/export operations
The FAP_EV_CUSTOM_OPERATIONS group – operations with custom objects
See also: