LogPoint and beSECURE Integration
To integrate LogPoint and beSECURE you can utilize multiple methods of integration, from file collection to Syslog data exchange.
The easier one to implement, though it lacks the data depth provided by file collection, will require you to do two things, the first is to configure LogPoint to accept incoming Syslog connections from beSECURE and the second to configure beSECURE to send out Syslog output whenever a scan completes.
Start configuring LogPoint by logging in into the product, if this is the first time you installed LogPoint, the credentials will be admin / changeme:
Once you have logged on click on the Settings page:
The click on the Repos button:
We recommend creating a repository dedicated to beSECURE – though you can use the ‘default’ one, click “Add”:
Give the repository a name, such as beSECURE_Report, and configure how many days you would like to keep records of the data from beSECURE, we recommend it to be no less than two dates between consecutive scans – for example if you do weekly scans, 15 days, if you do monthly scans, 62 days, etc. By keeping a record of at least two scans you can use do comparison and time analysis on the results. Because I have my scans configured to weekly scans I will keep the repo history to 15 days:
Next go to the Log Collection Policies screen:
And click “Add”
Give it a name, beSECURE_Collection, for example:
Configure a collector by clicking “Yes”:
Click on the “Syslog Collector” icon:
Configure the Syslog Collector for “SyslogParser” and “Processing Policy” of “default”:
The “beSECURE_Collection” screen should show now:
We now need to create a Normalizing Policy, this will allow us to convert the Syslog line into a meaningful and searchable data inside LogPoint, under Settings click Knowledge Base, and there the
“Normalizing Packages” button:
Filling the fields with beSECURE for the name and “Process incoming beSECURE Syslog entries” for the description:
Click “Submit”, then in the list click on the “Signatures” icon:
In the pattern place:
<id:int> <source_ts:datetime_m> beSECURE beSECURE <process_id:int> - - TestID=<TestID:all> VulnerabilityName=<VulnerabilityName:all> RiskNo=<RiskFactorValue:all>
RiskText=<RiskFactorName:all> AffectedHost=<AffectedHost:all> AffectedPort=<AffectedPort:all> AffectedProtocol=<AffectedProtocol:all> CVE=<CVE:all> CVSSScore=<CVSSScore:all>
In the Example you can place (it’s not required):
<46>1 2017-11-02T00:06:16+01:00 beSECURE beSECURE 6706 - - TestID=<!-- #TestID# --> VulnerabilityName=<!-- #VulnerabilityName# --> RiskNo=<!-- #RiskFactorValue# --> RiskText=<!--
#RiskFactorName# --> AffectedHost=<!-- #AffectedHost# --> AffectedPort=<!-- #AffectedPort# --> AffectedProtocol=<!-- #AffectedProto# --> CVE=<!-- #CVE# --> CVSSScore=<!-- #CVSSScore# -->
(This will be useful to in order to test the pattern)
Add a “Key Values” named “norm_id” with the value of “beSECURE”, and another one (by clicking on the sign) with the name “label” and the value of “Vulnerability”.
If you wish to test the pattern you wrote, click on the button:
The response should be:
Click “Submit” to save your data.
Repeat the process and add an additional pattern with the same “norm_id”, but without the “label” of “Vulnerability”:
<id:int> <source_ts:datetime_m> beSECURE beSECURE <process_id:int> - - Scan <job_name:all> <state:started|completed>
You can place this as an “Example”:
<46>1 2017-11-01T17:24:34+01:00 beSECURE beSECURE 23460 - - Scan test completed If you want to check the Pattern click on the “Check Pattern”, the response should look like this:
The complete Normalizing Package setup should look like this:
Click “Submit” to save it.
We now need to create Processing Policy, this will cause incoming beSECURE data is shown in a searchable manner inside LogPoint, under the Configuration page click on the “Processing Policy”:
Create a new one named “beSECURE_Processing”, set it to use the Normalizing Policy of “beSECURE”, and “None” on the Enrichment Policy and “default” on the Routing Policy:
Click “Submit” to save it.
Go back to the “Log Collection Policies” screen, select the “beSECURE_Collection”, and click on the:
Select the Syslog section:
Change the Processing Policy to “beSECURE_Processing”:
The last step is to allow beSECURE to connect to LogPoint and “feed” it syslog entries, by default LogPoint does not allow incoming Syslog connections unless the device has been configured, so click on the “Devices” icon:
And configure it with a “Name”, such as beSECURE, provide it with the IP address of beSECURE – in this case 192.168.15.180, in the “Device Group” choose linux (this has no effect – you can any device group you wish to use), and select the previously created “Log Collection Policy”, beSECURE Collection:
Click “Submit” and you are almost done with the integration.
Now head to the beSECURE interface, specifically the Integration page, beSECURE supports multiple types of output, you can use CEF, such as in this example:
Which includes this value for Send Scan Start:
Scan <!-- #Name# --> started
Which includes this value for Send Scan Completed:
Scan <!-- #Name# --> completed
Which includes this value for Send Scan Results:
TestID=<!-- #TestID# --> VulnerabilityName=<!-- #VulnerabilityName# --> RiskNo=<!-- #RiskFactorValue# --> RiskText=<!-- #RiskFactorName# --> AffectedHost=<!-- #AffectedHost# --> AffectedPort=<!-- #AffectedPort# --> AffectedProtocol=<!-- #AffectedProto# --> CVE=<!-- #CVE# --> CVSSScore=<!-- #CVSSScore# -->
The syslog entries will start to show up in LogPoint as soon as a scan completes, you can use norm_id="beSECURE" to look for them in their normalized way: