Support of Work with Security Information and Event Management Systems

Foresight Analytics Platform supports work with security information and event management systems (SIEM systems).

A ready solution based on Foresight Analytics Platform can be integrated via an application system using a tool for real time analysis of running events and timely response to security threats in information systems.

NOTE. SIEM systems are not included in the software package of Foresight Analytics Platform.

SIEM systems are based on the concept that information system security data is collected from different sources, and the result of data processing is displayed in an unified interface that is available for security data analysts, which makes it easier to analyze characteristics that are inherent to security incidents.

One of the main objectives of SIEM systems use is increasing information security in the existing architecture by ensuring the ability to execute anticipatory management of incidents and security events almost in real time.

Work with security information and event management systems is aimed at solving the following tasks:

An access protocol can be used for integration.

A security information and event management system is installed and set up by the system administrator.

A security information and event management is deployed in the environment. When planning and deploying an application, the environment system administrator must use administrator guides provided by corresponding SIEM system vendors.

Integration with third-party SIEM systems is supported via CEF files and forwarding CEF security event messages in real time via the syslog protocol.

Security Auditing Log Import to SIEM Systems

The security auditing log of Foresight Analytics Platform is stored in a database in internal format.

To export the file, use the security manager or the task scheduler.

    1. Open the security manager as an administrator.

    2. Go to the Access Protocol tab.

    3. Save the access protocol to file:

The standard dialog box opens, in which specify:

Then set up file import by means of SIEM server.

For details about creating an event parsing decoder see the Example of Data Import to Wazuh article.

Forwarding CEF Security Event Messages in Real Time via the syslog Protocol

To forward auditing messages to syslog server, set up:

The priority of settings search:

  1. settings.xml.

  2. The [HKEY_CURRENT_USER] key.

  3. The [HKEY_LOCAL_MACHINE] key.

If the SysLogServer section has been found during the search in the source, it is assumed that settings are read successfully event if the section is empty or contains incorrect records. Other sources are not searched. If any of parameters is absent in the source, default values are taken:

Active = False

Host = 127.0.0.1

Port = 514

Protocol = 0

CEF Event Format used in Foresight Analytics Platform

All access protocol events are divided into groups. Events use different sets of fields depending on the group.

The CEF file consists of a set of events, each event is written as a text string. Each event string consists of a title and a set of fields. The title starts from CEF:0| and ends with |AuditLog|Unknown|. The title also contains a group.

The FAP_EV_LOGONS group – logon/logoff events

The FAP_EV_VCS_OPERATIONS group – VCS events

The FAP_EV_SECURITY_OPERATIONS – security events

The FAP_EV_OBJECTS_SECURITY_OPERATIONS group – object security events

The FAP_EV_UPDATE_OPERATIONS group – updates

The FAP_EV_OBJECT_OPERATIONS group – operations with objects

The FAP_EV_DICT_ELEMS_OPERATIONS group – operations with MDM dictionary elements

The FAP_EV_EXPORT_IMPORT_OPERATIONS group – import/export operations

The FAP_EV_CUSTOM_OPERATIONS group – operations with custom objects

See also:

System Requirements