Support of Work with Security Information and Event Management Systems

Foresight Analytics Platform supports work with security information and event management systems (SIEM systems).

A ready solution based on Foresight Analytics Platform can be integrated via an application system using a tool for real time analysis of running events and timely response to security threats in information systems.

NOTE. SIEM systems are not included in the software package of Foresight Analytics Platform.

SIEM systems are based on the concept that information system security data is collected from different sources, and the result of data processing is displayed in an unified interface that is available for security data analysts, which makes it easier to analyze characteristics that are inherent to security incidents.

One of the main objectives of SIEM systems use is increasing information security in the existing architecture by ensuring the ability to execute anticipatory management of incidents and security events almost in real time.

Work with security information and event management systems is aimed at solving the following tasks:

A security information and event management system is installed and set up by the system administrator.

A security information and event management is deployed in the environment. When planning and deploying an application, the environment system administrator must use administrator guides provided by corresponding SIEM system vendors.

Integration with third-party SIEM systems is supported via CEF files and forwarding CEF security event messages in real time via the syslog protocol.

Security Auditing Log Import to SIEM Systems

The security auditing log of Foresight Analytics Platform is stored in a database in internal format.

Forwarding CEF Security Event Messages in Real Time via the syslog Protocol

If the SysLogServer section has been found during the search in the source, it is assumed that settings are read successfully event if the section is empty or contains incorrect records. Other sources are not searched. If any of parameters is absent in the source, default values are taken:

CEF Event Format used in Foresight Analytics Platform

All access protocol events are divided into groups. Events use different sets of fields depending on the group.

The CEF file consists of a set of events, each event is written as a text string. Each event string consists of a title and a set of fields. The title starts from CEF:0| and ends with |AuditLog|Unknown|. The title also contains a group.

The groups contains events: system logon, system logoff, navigator logon.

The set of used fields:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user NOTE. The field is empty if the logon failed, the field value: outcome = Failure.
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
msg	Event comment (can be empty)

Examples of events:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_LOGONS|AuditLog|Unknown|act=Navigator logon cs1Label=MetabaseId cs1=MB_DEF rt=Aug 11 2022 11:25:02+05:00 outcome=Success shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=DOMAIN\\ NAME.SURNAME cs3Label=IPAddresses cs3=192.168.176.1;172.26.224.1;192.168.141.1;192.168.217.1;172.17.32.1;10.9.43.44 msg=

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_LOGONS|AuditLog|Unknown|act=System logon cs1Label=MetabaseId cs1= MB_DEF rt=Aug 11 2022 11:25:01+05:00 outcome=Success shost= WKSTATION suser= name.surname cs2Label=PlatformUser cs2= DOMAIN\\ NAME.SURNAME cs3Label=IPAddresses cs3=192.168.176.1;172.26.224.1;192.168.141.1;192.168.217.1;172.17.32.1;10.9.43.44 msg=Platform version: 9.8.0.0 D Master x64 Desktop application

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_LOGONS|AuditLog|Unknown|act=System logoff cs1Label=MetabaseId cs1= MB_DEF rt=Aug 10 2022 18:05:01+05:00 outcome=Success shost= WKSTATION suser= name.surname cs2Label=PlatformUser cs2= DOMAIN\\NAME.SURNAME cs3Label=IPAddresses cs3=172.30.32.1;172.21.96.1;192.168.141.1;192.168.217.1;172.30.208.1;10.9.43.44 msg=

The group contains events: Connect to VCS, Disconnect from VCS, Change VCS settings.

The set of used fields:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
msg	Event comment

Examples of events:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_VCS_OPERATIONS|AuditLog|Unknown|act=Connect to VCS cs1Label=MetabaseId cs1=MB_DEF rt=Aug 08 2022 18:40:01+05:00 outcome=Success shost= WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=172.30.32.1;172.21.96.1;192.168.141.1;192.168.217.1;172.30.208.1;10.9.43.44 msg=Repository is disconnected from version control system, Team Foundation Server - d:\\GIT\\GitRepo\\, Team Project -

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_VCS_OPERATIONS|AuditLog|Unknown|act=Synchronize with VCS cs1Label=MetabaseId cs1= MB_DEF rt=Aug 08 2022 18:40:01+05:00 outcome=Success shost=WKSTATION suser= name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=172.30.32.1;172.21.96.1;192.168.141.1;192.168.217.1;172.30.208.1;10.9.43.44 msg=Repository is synchronized with version control system, Team Foundation Server - d:\\GIT\\GitRepo\\, Team Project –

The group contains two event subgroups.

The first subgroup contains events: change auditing service user password, change security policy, save security policy, read security policy.

The second subgroup contains events: save security policy environment, apply security policy environment, save access protocol to file.

The set of used fields for the first subgroup:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
msg	Event comment (can be empty)

Examples of events:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_SECURITY_OPERATIONS|AuditLog|Unknown|act=Read policy cs1Label=MetabaseId cs1=MB_DEF rt=Aug 09 2022 14:51:51+05:00 outcome=Success shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=172.30.32.1;172.21.96.1;192.168.141.1;192.168.217.1;172.30.208.1;10.9.43.44 msg=

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_SECURITY_OPERATIONS|AuditLog|Unknown|act=Change policy cs1Label=MetabaseId cs1=MB_DEF rt=Jun 17 2022 12:47:30+05:00 outcome=Failure shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=172.24.80.1;172.23.96.1;192.168.141.1;192.168.217.1;172.27.160.1;10.9.43.44 msg=Creation of deferred subjects is disabled

The set of used fields for the second subgroup:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
filePath	Full path to file including name

The example of event:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_SECURITY_OPERATIONS|AuditLog|Unknown|act=Save access protocol cs1Label=MetabaseId cs1=MB_DEF rt=Aug 11 2022 13:14:33+05:00 outcome=Success shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=192.168.176.1;172.26.224.1;192.168.141.1;192.168.217.1;172.17.32.1;10.9.43.44 filePath=C:\\Temp\\fap_test_git.cef

The group contains events: change permissions, change dictionary element permissions, transfer of permissions, transfer of data permissions.

The set of used fields:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
cs4Label	The value is always ObjectName
cs4	Object name
cs5Label	The value is always ObjectId
cs5	Object identifier
cs6Label	The value is always AccessLevel NOTE. The field is used if mandatory access control method is enabled.
cs6	Access level NOTE. The field is used if mandatory access control method is enabled.
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
msg	Event comment (can be empty)

The example of event:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_OBJECTS_SECURITY_OPERATIONS|AuditLog|Unknown|act=Change permissions cs1Label=MetabaseId cs1=MB_DEF rt=Aug 08 2022 20:10:55+05:00 cs4Label=ObjectName cs4=D_Data input 2 cs5Label=ObjectId cs5=OBJ1055961 outcome=Success shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN_1 cs3Label=IPAddresses cs3=192.168.241.1;192.168.249.1;10.9.47.22 msg=Permissions for the 'BRANCHES' user/group permissions have been changed before: 'Insufficient permissions'; after: 'Read, Change, Read descriptor, Change descriptor, Read parameters, Change parameters, Read metadata, Change metadata, Create, Get data, Save data'

The group contains events: read, write, apply.

The set of used fields:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
msg	Event comment (can be empty)

Examples of events:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_UPDATE_OPERATIONS|AuditLog|Unknown|act=Write update cs1Label=MetabaseId cs1=MB_DEF rt=Jan 18 2022 13:11:08+05:00 outcome=Success shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=192.168.141.1;192.168.217.1;172.21.112.1;10.9.47.23 msg=File: D:\\Downloads\\Update_MB_DEF_1812022_13838.pefx Date: 18.01.2022 13:08:48 Size: 24778

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_UPDATE_OPERATIONS|AuditLog|Unknown|act=Read update cs1Label=MetabaseId cs1=MB_DEF rt=Jan 17 2022 14:42:07+05:00 outcome=Success shost=WKSTATION suser= name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=192.168.141.1;192.168.217.1;172.21.112.1;10.9.47.23 msg=File: D:\\Downloads\\wizardPageUserAlg.pefx Date: 17.01.2022 14:41:42 Size: 19997

The group contains events: read, read descriptor, read parameters, read metadata, get metadata, read formulas, execute, create, change descriptor, change parameters, insert data, change data, change table structure, save data, save formulas, change text, delete, delete data, open connection, change, change metadata.

The set of used fields:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
cs4Label	The value is always ObjectName
cs4	Object name
cs5Label	The value is always ObjectId
cs5	Object identifier
cs6Label	The value is always AccessLevel NOTE. The field is used if mandatory access control method is enabled.
cs6	Access level NOTE. The field is used if mandatory access control method is enabled.
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
msg	Event comment (can be empty)

Examples of events:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_OBJECT_OPERATIONS|AuditLog|Unknown|act=Delete cs1Label=MetabaseId cs1=MB_DEF rt=Aug 08 2022 14:52:04+05:00 cs4Label=ObjectName cs4=Scheduled tasks container cs5=OBJ10143 cs5Label=ObjectId outcome=Success shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=172.30.32.1;172.21.96.1;192.168.141.1;192.168.217.1;172.30.208.1;10.9.43.44 msg=

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_OBJECT_OPERATIONS|AuditLog|Unknown|act=Create cs1Label=MetabaseId cs1=MB_DEF rt=Aug 08 2022 14:26:10+05:00 cs4Label=ObjectName cs4=Scheduled tasks container cs5Label=ObjectId cs5=OBJ10143 outcome=Success shost= WKSTATION suser=name.surname cs2Label=PlatformUser cs2= ADMIN cs3Label=IPAddresses cs3=172.30.32.1;172.21.96.1;192.168.141.1;192.168.217.1;172.30.208.1;10.9.43.44 msg=

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_OBJECT_OPERATIONS|AuditLog|Unknown|act=Change cs1Label=MetabaseId cs1=MB_DEF rt=Aug 08 2022 14:26:10+05:00 cs4Label=ObjectName cs4=Temp cs5Label=ObjectId cs5=OBJ93 outcome=Success shost= WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=172.30.32.1;172.21.96.1;192.168.141.1;192.168.217.1;172.30.208.1;10.9.43.44 msg=

The group contains events: read dictionary elements, change dictionary elements, add elements to dictionary, delete elements from dictionary.

The set of used fields:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
cs4Label	The value is always ObjectName
cs4	Object name
cs5Label	The value is always ObjectId
cs5	Object identifier
cs6Label	The value is always AccessLevel NOTE. The field is used if mandatory access control method is enabled.
cs6	Access level NOTE. The field is used if mandatory access control method is enabled.
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
msg	Event comment (can be empty)

Examples of events:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_OBJECTDICT_ELEMS_OPERATIONS|AuditLog|Unknown|act=Read dictionary elements cs1Label=MetabaseId cs1=MB_DEF rt=Aug 0811 2022 20:10:0328:37+05:00 cs4Label=ObjectName cs4=Dictionary cs5Label=ObjectId cs5=DICT_ENTITYOBJ90 outcome=Success shost= WKSTATION suser= name.surname cs2Label=PlatformUser cs2=ADMIN_1 cs3Label=IPAddresses cs3=172.18.112.1;192.168.241141.1;192.168.249217.1;172.24.176.1;10.9.43.44 msg=

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_DICT_ELEMS_OPERATIONS|AuditLog|Unknown|act=Add elements to dictionary cs1Label=MetabaseId cs1=MB_DEF rt=Aug 11 2022 20:28:34+05:00 cs4Label=ObjectName cs4=Dictionary cs5Label=ObjectId cs5=OBJ90 outcome=Success shost= WKSTATION suser= name.surname cs2Label=PlatformUser cs2= ADMIN cs3Label=IPAddresses cs3=172.18.112.1;192.168.141.1;192.168.217.1;172.24.176.1;10.9.47.2243.44 msg=Elements added: 1111.

The group contains events: print, export, import, export to web.

The set of used fields:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
cs4Label	The value is always ObjectName
cs4	Object name
cs5Label	The value is always ObjectId
cs5	Object identifier
cs6Label	The value is always AccessLevel NOTE. The field is used if mandatory access control method is enabled.
cs6	Access level NOTE. The field is used if mandatory access control method is enabled.
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
msg	Event comment (can be empty)

Examples of events:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0|FAP_EV_EXPORT_IMPORT_OPERATIONS|AuditLog|Unknown|act=Export cs1Label=MetabaseId cs1=MB_DEF rt=Aug 05 2022 11:39:25+05:00 cs4Label=ObjectName cs4=Data entry/output form: Basic report cs5Label=ObjectId cs5=OBJ118774_REPORT outcome=Success shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=127.0.1.1 msg=Export format: XLSX Number of copies: 1 Number of pages: 1 Result: Successful

The group contains event: operation determined by custom object.

The set of used fields:

Field name	Description
act	Event (operation)
cs1Label	The value is always MetabaseId
cs1	Repository identifier
rt	Date and time of event generation
cs4Label	The value is always ObjectName
cs4	Object name
cs5Label	The value is always ObjectId
cs5	Object identifier
cs6Label	The value is always AccessLevel NOTE. The field is used if mandatory access control method is enabled.
cs6	Access level NOTE. The field is used if mandatory access control method is enabled.
outcome	Operation execution result. Available values: Success, Failure
shost	Workstation
suser	OS user
cs2Label	The value is always PlatformUser
cs2	Foresight Analytics Platform user
cs3Label	The value is always IPAddresses
cs3	Set of IP addresses
msg	Event comment (can be empty)

Examples of events:

CEF:0|Foresight|Foresight Analytical Platform|9.8.0| FAP_EV_CUSTOM_OPERATIONS |AuditLog|Unknown|act=Administration cs1Label=MetabaseId cs1=MB_DEF rt=Aug 05 2022 11:39:25+05:00 cs4Label=ObjectName cs4=Process cs5Label=ObjectId cs5=OBJ118774_KREA_174 outcome=Success shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=127.0.1.1 msg=Execution of the ‘Administration’ operation of custom object