Dell Security Management Server Syslog and SIEM guide

Dell Security Management Server Syslog and SIEM guide


This article describes the Security Information and Event Management integration process.


Affected Products:

Dell Security Management Server
Dell Security Management Server Virtual
Dell Endpoint Security Suite Enterprise




What is a SIEM server/appliance?

'SIEM - Security Information and Event Management - can import data and run rules or reports based on said data. The goal is to aggregate data from various sources, identify anomalies in that data, and to take action.

What options do I have to send to a SIEM/Syslog application

The Dell Security Management Server and Dell Security Management Server Virtual both offer two different ways to consume data into a Syslog/SIEM application.

In the 9.2 server, the ability to communicate with the Advanced Threat Prevention cloud was introduced, which allowed the ability to configure Advanced Threat Event data to be sent to a SIEM application.

To configure this data within the Dell Security Management Server or Dell Security Management Server Virtual's WebUI, navigate to Populations -> Enterprise -> Advanced Threats (this tab is only visible if Advanced Threat Prevention has been enabled through the Management -> Services Management task) -> Options.

The Options page has a check-box for "Syslog/SIEM" which allows us to configure where the data is sent. This data comes from the Advanced Threat Prevention servers that are hosted within Amazon Web Services.

If the Advanced Threat Prevention Syslog Integration cannot successfully deliver syslog messages to your server, an email notification will be sent to any Administrators with a confirmed email address in the organization, alerting them to the syslog issue.

If the issue is resolved before the 20 minute time period has ended, then syslog messages will continue to be delivered. If the issue is resolved after the 20 minute time period, an Administrator must re-enable syslog messaging.

Here is an example configuration that points to an external FQDN of extsiem.domain.org over port 5514. This configuration would assume that extsiem.domain.com has an external DNS entry that resolves to the server within the environment running the SIEM/Syslog application, and port 5514 has been forwarded from the environment's gateway to the destination SIEM/Syslog application.

Events coming through this functionality will be branded as they come from our vendor, Cylance.

The SaaS for Advanced Threat Prevention has several IP addresses for each region. The allows for expansion without interrupting any syslog service. Allow all IP addresses, based on your region, when configuring your rule(s). Logs from Cylance will source from one of these IP’s and can change randomly.

Note: These IP addresses should remain static; however, it’s possible that Cylance will update this list in the future. Changes will be communicated via an email to Cylance console administrators. It’s the responsibility of the network administrator to update their rule(s) in response to changes.

52.2.154.63
52.20.244.157
52.71.59.248
52.72.144.44
54.88.241.49

52.63.15.218
52.65.4.232

52.28.219.170
52.29.102.181
52.29.213.11

Dell Security Management Server and Dell Security Management Server Virtual introduced the ability to send events received from agents in 9.7. This includes the raw, un-filtered events from Dell Endpoint Security Suite Enterprise, as well as events from Dell Secure Lifecycle and Dell Data Guardian.

You can configure Security Management Server to send Agent Event Data within Management -> Services Management -> Event Management. This data can be exported to a local file or Syslog. Two options will be here: Export to Local File, and Export to Syslog.

Export to Local File will update the audit-export.log file so it can be consumed by a universal forwarder. This file's default location is C:\Program Files\Dell\Enterprise Edition\Security Server\logs\siem\.

This file is updated every two hours with data. This file can be picked up and consumed by a forwarder. For more information on forwarders, please refer to the specific Syslog or SIEM application that you are leveraging to consume this data, as forwarders differ based on application.

Export to Syslog allows for the direct connection to an internal SIEM/Syslog server within the environment. These logs are formatted in simple format based on RFC-3164 in a json bundle. This data comes from the Dell Security Management Server and is sent directly to the Syslog/SIEM server. This data is collected and sent every two hours via a job.

The Dell Endpoint Security Suite Enterprise event data that is sent through is listed above. Typically this data would be sent by the SaaS, allowing the Dell Security Management Server to be able to collect this data from the agents as they check in with inventories and forward this to the configured SIEM/Syslog application.

Agent event data will contain both the previously mentioned Dell Endpoint Security Suite Enterprise event data, as well as Dell Secure Lifecycle and Dell Data Guardian data. This data will come in events as well.

This option is only visible to users who have the Application Control feature enabled. Application Control events represent actions occurring when the device is in Application Control mode. Selecting this option sends a message to the Syslog server whenever an attempt is made to modify or copy an executable file, or when an attempt is made to execute a file from an external device or network location.

Selecting this option sends the audit log of user actions performed in the SaaS to the Syslog server. Audit log events appear in the Audit Log screen, even when this option is unchecked.

Selecting this option sends device events to the Syslog server.

  • When a new device is registered, you will receive two messages for this event: Registration and SystemSecurity.
Note: SystemSecurity messages are also generated when a user logs on to a device. Therefore, this message may occur more often, not just during registration.

  • When a device’s policy, zone, name, or logging level has changed.

Selecting this option will log any Memory Exploit Attempts that might be considered an attack from any of the Tenant’s devices to the Syslog server. There are four types of Memory Exploit actions:

  • None: Allowed because no policy has been defined for this violation.
  • Allowed: Allowed by policy.
  • Blocked: Blocked from running by policy.
  • Terminated: Process has been terminated.

Selecting this option will log any newly found scripts, convicted by Advanced Threat Prevention, to the Syslog server.

Syslog Script Control events contain the following properties:

  • Alert: The script is allowed to run. A script control event is sent to the Console.
  • Block: The script is not allowed to run. A script control event is sent to the Console.

The first time a Script Control event is detected, a message is sent via syslog with full event information. Each subsequent event that is deemed a duplicate will not be sent via syslog for the remainder of the day (based on the SaaS's server time).

At the end of the day, if the counter for a specific Script Control event is greater than one, an event will be sent via syslog with the count of all duplicate events that have transpired that day. If the counter equals one at the end of the day, no additional message will be sent via syslog.

Determining if a Script Control event is a duplicate uses the following logic:

  • Look at key information: Device, Hash, Username, and Block/Alert.
  • For the first event received in a day, set a counter value to 1. There are separate counters for Block and Alert.
  • All subsequent events with the same key increment the counter.
  • The counter resets each calendar day, according to the SaaS's server time.
Example: If Script A runs on a Device 1 at 11:59PM on 9/20/16 and then again at 12:05AM and 12:15AM on 9/21/16, the following will be the result:
  • One syslog message will be sent on 9/20/16 for the one Script Control event for that day.
  • One syslog message will be sent on 9/21/16 for the two duplicate Script Control events for that day.
Note: Only one syslog message is sent on 9/21/16 because the events are duplicates of the event that occurred on 9/20/16.

Selecting this option will log any newly found threats, or changes observed for any existing threat, to the Syslog server. Changes include a threat being removed, quarantined, waived, or executed.

There are five Threat Event types:

  • threat_found: A new threat has been found in an Unsafe status.
  • threat_removed: An existing threat has been removed.
  • threat_quarantined: A new threat has been found in the Quarantine status.
  • threat_waived: A new threat has been found in the Waived status.
  • threat_changed: The behavior of an existing threat has changed (examples: score, quarantine status, running status).

There are six Threat Classification types:

  • File Unavailable: Due to an upload constraint (example: file is too large to upload), the file is unavailable for analysis.
  • Malware: The file is classified as malware.
  • Possible PUP: The file might be a potentially unwanted program (PUP).
  • PUP: The file is considered a potentially unwanted program (PUP).
  • Trusted: The file is considered trusted.
  • Unclassified: ATP has not analyzed this file.

Each day, Dell's Advanced Threat Prevention will classify hundreds of threats as either Malware or PUPs (Potentially Unwanted Programs).

By selecting this option, you will be notified when these events occur.

Specifies the type of Syslog server or SIEM that events are to be sent to.

This must match what you have configured on your Syslog server. The choices are UDP or TCP. TCP is the default and we encourage customers to use it. UDP is not recommended as it does not guarantee message delivery.

Only available if the Protocol specified is TCP. TLS/SSL ensures the Syslog message is encrypted in transit to the Syslog server. We encourage customers to select this option. Be sure your Syslog server is configured to listen for TLS/SSL messages.

Specifies the IP address or fully-qualified domain name of the Syslog server that the customer has setup. Consult with your internal network experts to ensure firewall and domain settings are properly configured.

Specifies the port number on the machines that the Syslog server will listen for messages. It must be a number between 1 and 65535. Typical values are: 512 for UDP, 1235 or 1468 for TCP, and 6514 for Secured TCP (example: TCP with TLS/SSL enabled).

Specifies the severity of the messages that should appear in the Syslog server. This is a subjective field, and you may set it to whatever level you like. The value of severity does not change the messages that are forwarded to Syslog.

Specifies what type of application is logging the message. The default is Internal (or Syslog). This is used to categorize the messages when they are received by the Syslog server.

Some log management services, like SumoLogic, might need a custom token included with syslog messages to help identify where those messages should go. The custom token is provided by your log management service.

Example: 4uOHzVv+ZKBheckRJouU3+XojMn02Yb0DOKlYwTZuDU1K+PsY27+ew==
Note: The Custom Token field is available with all Syslog/SIEM options, not just SumoLogic. It is possible to type any information as a custom tag to the syslog information.

Click Test Connection to test the IP/Domain, Port and Protocol settings. If valid values are entered, you will receive a success confirmation pop-up.

On the Syslog server console, you will receive the following Test Connection Message:

Event that tells an admin when a file has been uploaded to a cloud provider.

The agent that generates the event may be one or more of the following:

  • Mac
  • Windows
  • Android
  • IOS
Payload
provider process that is doing the upload.
file information about the file being uploaded includes, keyid, path, filename and size.
geometry location where this event took place.
loggedinuser user that is logged into the device.

{
"source": {
"agent": "c4b28f9b-0fe8-4f40-b8de-705753492d46",
"user": "test@domain.org",
"device": "A5474602085.domain.org",
"plugin": "ae69b049-602d-4f10-81f8-f0f126cb10f3"
},
"timestamp": 1456328219437,
"payload": {
"provider":"Sync Provider",
"file": {
"keyid": "Test Key Id",
"path": "Test Path",
"filename": "Original Name",
"size": 1234
}
""loggedinuser"":""test@domain.org""
},
"geometry": {
"type": "Point",
"coordinates": [115.24631773614618,
41.082960184314317]
},
"moniker": " sl_file_upload",
"version":1
}

Event that happens when a User changes the folder policy through the folder management console.

The agent that generates the event may be one or more of the following:

  • Mac
  • Windows
  • Android
  • IOS
payload
folderpath Folder in which the protection level was changed
folderprotection a string that defines a protection level: UsePolicy, ForceAllow, ForceProtect, PreExisting_ForceAllow, PreExisting_ForceAllow_Confirmed
geometry location where this event took place.
loggedinuser user that is logged into the device.

{
"source": {
"agent": "c4b28f9b-0fe8-4f40-b8de-705753492d46",
"user": "test@domain.org",
"device": "A5474602085.domain.org",
"plugin": "ae69b049-602d-4f10-81f8-f0f126cb10f3"
},
"timestamp": 1456328219437,
"payload": {
"folderpath":"Folder Path",
"folderprotection:"ForceProtect"
""loggedinuser"":""test@domain.org""
},
"geometry": {
"type": "Point",
"coordinates": [115.24631773614618,
41.082960184314317]
},
"moniker": " sl_file_overrride",
"version":1
}

Event that tells an admin when access to a cloud provider has been blocked.

The agent that generates the event may be one or more of the following:

  • Mac
  • Windows
  • Android
  • IOS
Payload
address process that is doing the upload.
process information about the file being uploaded includes, keyid, path, filename and size.
application Type of process trying to access a blocked cloud provider. App, Proxy, or Browser
netaction Type of action happening. (only one value Blocked)
geometry location where this event took place.
loggedinuser user that is logged into the device.

{
"source": {
"agent": "c4b28f9b-0fe8-4f40-b8de-705753492d46",
"user": "test@domain.org",
"device": "A5474602085.domain.org",
"plugin": "ae69b049-602d-4f10-81f8-f0f126cb10f3"
},
"timestamp": 1456328219437,
"payload": {
"address":"www.yahoo.com",
"process":"process.exe",
"application":"Proxy",
"netaction":"Blocked",
""loggedinuser"":""test@domain.org""
},
"geometry": {
"type": "Point",
"coordinates": [115.24631773614618,
41.082960184314317]
},
"moniker": " sl_net_info",
"version":1
}

Events that deal with the actions associated with Dell Data Guardian protected emails.

The agent that generates the event may be one or more of the following:

  • Mac
  • Windows
  • Android
  • IOS
Payload
emails Array of email objects
keyId Key id used to protect the email.
subject Subject line from email.
to email addresses that the email was sent to.
cc email addresses that the email was copied to.
bcc email addresses that the email was blind copied to.
from email address of the person that sent the email.
attachments Names of attachments that were added to the email
action "Opened", "Created", "Responded","Sent"
loggedinuser user that is logged into the device.

{
"source": {
"agent": "c4b28f9b-0fe8-4f40-b8de-705753492d46",
"user": "test@domain.org",
"device": "A5474602085.domain.org",
"plugin": "ae69b049-602d-4f10-81f8-f0f126cb10f3"
},
"timestamp": 1456328219437,
"payload": {
""emails": [{
"keyid": "c4b28f9b-0fe8-4f40-b8de-705753492d46",
"subject": "Test Subject",
"from":"dvader@empire.net",
"to": ["myemail@yahoo.com", "anotheremail@gmail.com"],
"cc": ["myemail@yahoo.com", "anotheremail@gmail.com"],
"bcc": ["myemail@yahoo.com", "anotheremail@gmail.com"],
"attachments": ["myDocx.docx", "HelloWorld.txt"],
"action": "Open"
}],
""loggedinuser"":""test@domain.org""
},
"geometry": {
"type": "Point",
"coordinates": [115.24631773614618,
41.082960184314317]
},
"moniker": "sl_protected_email",
"version":1
}

Events that deal with the actions associated with Dell Data Guardian protected office documents.

The agent that generates the event may be one or more of the following:

  • Mac
  • Windows
  • Android
  • IOS
Payload
file File Information about that was Encrypted, Decrypted or Deleted.
clientType Client type that has been installed. External or Internal.
action Created, Accessed, Modified, Unprotected, AttemptAccess
slaction New, Open, Updated, Swept, Watermarked, BlockCopy, RepairedTampering,
DetectedTampering, Unprotected, Deleted, RequestAccess, GeoBlocked, RightClickProtected, PrintBlocked
geometry location where this event took place.
from timestamp for summary event when it began.
to timestamp for summary event when the event ended.
loggedinuser user that is logged into the device.
appinfo Information about the application using the Protected Office Document

{
"source": {
"agent": "c4b28f9b-0fe8-4f40-b8de-705753492d46",
"user": "test@domain.org",
"device": "A5474602085.domain.org",
"plugin": "ae69b049-602d-4f10-81f8-f0f126cb10f3"
},
"timestamp": 1456328219437,
"payload": {
"from":1234567
"to":1234567
"file": {
"keyid": "Test Key Id",
"path": "Test Path",
"filename": "Original Name",
"size": 1234
},
"clientType": "internal",
"action": "Accessed",
"slaction":"Open"
},
"geometry": {
"type": "Point",
"coordinates": [115.24631773614618,
41.082960184314317]
},
"moniker": "sl_protected_file",
"version":1
}

""payload"":{""from"":12345678"",""to"":12345678,""file"":{""keyid"":""Test Key
Id"",""path"":""TestPath"",""filename"":""Original
Name"",""size"":1234},""clientType"":""external"",""action"":""Created""
""slaction"":""New"",""loggedinuser"":""test@domain.org""}

""payload"":{""from"":12345678"",""to"":12345678,""file"":{""keyid"":""Test Key
Id"",""path"":""Test Path"",""filename"":""Original
Name"",""size"":1234},""clientType"":""external"",""action"":""Accessed"",
""slaction"":""Open"",""loggedinuser"":""test@domain.org""}

""payload"":{""from"":12345678"",""to"":12345678,""file"":{""keyid"":""Test Key
Id"",""path"":""Test Path"",""filename"":""Original
Name"",""size"":1234},""clientType"":""external"",""action"":""Modified"" ,
""slaction"":""Updated"",""loggedinuser"":""test@domain.org""}

""payload"":{""from"":12345678"",""to"":12345678,""file"":{""keyid"":""Test Key
Id"",""path"":""Test Path"",""filename"":""Original
Name"",""size"":1234},""clientType"":""external"",""action"":""Modified"",
""slaction"":""Swept"",""loggedinuser"":""test@domain.org""}

""payload"":{""from"":12345678"",""to"":12345678,""file"":{""keyid"":""Test Key
Id"",""path"":""Test Path"",""filename"":""Original
Name"",""size"":1234},""clientType"":""external"",""action"":""Modified"",
""slaction"":""Watermarked"",""loggedinuser"":""test@domain.org""}

""payload"":{""from"":12345678"",""to"":12345678,""file"":{""keyid"":""Test Key
Id"",""path"":""Test Path"",""filename"":""Original
Name"",""size"":1234},""clientType"":""external"",""action"":""Accessed"",
""slaction"":""BlockedCopy"",""loggedinuser"":""test@domain.org""}

""payload"":{""from"":12345678"",""to"":12345678,""file"":{""keyid"":""Test Key
Id"",""path"":""Test Path"",""filename"":""Original
Name"",""size"":1234},""clientType"":""external"",""action"":""Accessed"",
""slaction"":""DetectedTampering"",""loggedinuser"":""test@domain.org""}

""payload"":{""from"":12345678"",""to"":12345678,""file"":{""keyid"":""Test Key
Id"",""path"":""Test Path"",""filename"":""Original
Name"",""size"":1234},""clientType"":""external"",""action"":""Modified"",
""slaction"":""RightClickProtected"",""loggedinuser"":""test@domain.org""}

""payload"":{""from"":12345678"",""to"":12345678,""file"":{""keyid"":""Test Key
Id"",""path"":""Test Path"",""filename"":""Original
Name"",""size"":1234},""clientType"":""external"",""action"":""Accessed"",
""slaction"":""PrintBlocked"",""appinfo"":{ ""app"":""Word"", ""information"":
""Print blocked protected office document open."" },""loggedinuser"":""test@domain.org""}

""payload"":{""from"":12345678"",""to"":12345678,""clientType"":""external"",""action"":""Accessed"",
""slaction"":""PrintBlocked"","appinfo":{ ""app"":""Reader"", ""information"":""Print blocked
while protected PDF open."" },""loggedinuser"":""test@domain.org""}

Event that happens when the system issues an event.

The agent that generates the event may be one or more of the following:

  • Mac
  • Windows
  • Android
  • IOS
Payload
action what the system is doing examples - Login, Logout, PrintScreenBlocked, ProcessBlocked
geometry location where this event took place.
clientType Client type that has been installed. external or internal.
loggedinuser user that logged in to the device.
processInfo information about the process.
disposition how the process was blocked - Terminated, Blocked, None
name Name of the process

{
"source": {
"agent": "c4b28f9b-0fe8-4f40-b8de-705753492d46",
"user": "test@domain.org",
"device": "A5474602085.domain.org",
"plugin": "ae69b049-602d-4f10-81f8-f0f126cb10f3"
},
"timestamp": 1456328219437,
"payload": {
"action":"login","clientType":"external","loggedinuser":"test@domain.org",
},
"geometry": {
"type": "Point",
"coordinates": [115.24631773614618,
41.082960184314317]
},
"moniker": "sl_system",
"version":1
}

"payload":
{"action":"PrintScreenBlocked","clientType":"external","loggedinuser":"test@domain.org"}

"payload": { "action": "processblocked","clientType": "external","loggedinuser":
"test@domain.org","processinfo": {"name": "winword.exe","disposition": "Terminated"}

Cloud Edition Events that specify when a file is encrypted, decrypted or deleted from a support cloud provider.

The agent that generates the event may be one or more of the following:

  • Mac
  • Windows
  • Android
  • IOS
Payload
file File Information about that was Encrypted, Decrypted or Deleted.
clientType Client type that has been installed. External or Internal.
action Created, Accessed,Modified, Deleted.
cloudname Name of the file in the cloud maybe different then the one in the file tag above.
xenaction Description of what the DG service is trying to do. Values - Encrypt, Decrypt, Deleted.
geometry location where this event took place.
loggedinuser user that is logged into the device.

{
"source": {
"agent": "c4b28f9b-0fe8-4f40-b8de-705753492d46",
"user": "test@domain.org",
"device": "A5474602085.domain.org",
"plugin": "ae69b049-602d-4f10-81f8-f0f126cb10f3"
},
"timestamp": 1456328219437,
"payload": {
"file": {
"keyid": "Test Key Id",
"path": "Test Path",
"filename": "Original Name",
"size": 1234
},
"clientType": "internal",
"action": "Created",
"cloudname":"Cloud Name",
"xenaction":"Encrypt",
""loggedinuser"":""test@domain.org""
},
"geometry": {
"type": "Point",
"coordinates": [115.24631773614618,
41.082960184314317]
},
"moniker": "sl_xen_file",
"version":1
}


For support, US-based customers may contact Dell Data Security ProSupport at 877.459.7304, Option 1, Ext. 4310039, or via the Chat Portal. To contact support outside the US, reference ProSupport’s International Contact Numbers. For additional insights and resources, visit the Dell Security Community Forum.



Article ID: SLN309070

Last Date Modified: 09/14/2019 09:37 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.