Collectors

Enginsight provides a diverse range of collector types that allow for comprehensive data collection. Within the Enginsight system, there are a total of three main types of collectors: Receiving Collectors, Relationship Collectors, and Integrated Collectors. These different collectors act as Pulsar Agents, actively on a mission to collect valuable data to ensure comprehensive insights into the system landscape.

General Collectors

General collectors act as primary data collection points in Enginsight SIEM. They open ports and receive external logs through those ports. It does not matter where the agent is located in the network - even in isolated networks without external access. The only critical requirement is that the firewall allows data transfer to these ports and the agent has the authority to send this data to the API.

Event Relais

Assign a unique name and write a short description. Next, specify a host that will serve as the receive collector. By default, the "bind address" is set to 0.0.0.0. to receive data from the internal and external network. Alignment to an internal IP address is also possible, to leave external IPs out of the consideration, enter a desired IP for this purpose. Select under "Protocol" between UDP and TCP. Under "Format" you specify with which syslog format the incoming data should be parsed.

Finally, click "Add Collector" to save your created event relay.

ESET Event Relais

1. In Eset Protect Management, go to "Settings" via "More". Enter the corresponding values under Syslog Server.

1. Now switch to your notifications. And create separate notifications for each event type.

1. Under "Basic", proceed as shown in the following diagram. Make sure that the notifications are activated and assign names (these are freely selectable and are only used for the overview). The event type is defined in the top line and the syslog event in the 2nd line:

1. Switch to "Configuration" and select the appropriate event type under Category.

1. Now switch to "Distribution" and allow the sending of syslogs.

Then enter the corresponding template for the notification in the "Content" sub-item. Proceed according to the following scheme (event type (line 1) and the syslog template (full line 2)).

Scan:
4 - "${computer_name}"|"${severity}"|"${timestamp}"|"${scanned_targets}"|"${scanned}"|"${infected}"|"${cleaned}"|"${status}"|"${completion}"|"${scanner}"|"${user}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

HIPS:
6 - "${computer_name}"|"${severity}"|"${timestamp}"|"${application}"|"${operation}"|"${target}"|"${action}"|"${rule_name}"|"${occurrences}"|"${user}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

ESET INSPECT alert:
8 - "${computer_name}"|"${severity}"|"${timestamp}"|"${process_name}"|"${user}"|"${rule_name}"|"${occurrences}"|"${ei_console_link}"|"${hash}"|"${detection_handled}"|"${severity_score}"|"${computer_severity_score}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Firewall detection:
7 - "${computer_name}"|"${severity}"|"${timestamp}"|"${firewall_event}"|"${ip_address}"|"${src_address_type}"|"${src_port}"|"${tgt_address}"|"${tgt_address_type}"|"${tgt_port}"|"${protocol}"|"${inbound_comm}"|"${user}"|"${process_name}"|"${rule_name}"|"${detection_name}"|"${occurrences}"|"${detection_handled}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Computer identity recovered:
9 - "${timestamp}"|"${source_computer_name}"|"${target_computer_name}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Computer first connected:
10 - "${timestamp}"|"${computer_name}"|"${is_hardware_detection_enabled}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Antivirus detection:
1 - "${computer_name}"|"${severity}"|"${timestamp}"|"${detection_type}"|"${detection_name}"|"${scanner}"|"${virus_db}"|"${object_type}"|"${object_uri}"|"${action_performed}"|"${action_error}"|"${detection_handled}"|"${restart_required}"|"${user}"|"${process_name}"|"${circumstances}"|"${first_seen_time}"|"${hash}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Blocked File:
2 - "${computer_name}"|"${severity}"|"${timestamp}"|"${object_uri}"|"${description}"|"${cause}"|"${action}"|"${process_name}"|"${user}"|"${hash}"|"${first_seen_time}"|"${detection_handled}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Computer cloning question created:
3 - "${timestamp}"|"${source_computer_name}"|"${target_computer_name}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

New MSP customer found:
5 - "${timestamp}"|"${msp_customer_name}"|"${msp_company_name}"|"${notification_name}"

Log files

Use the log files to isolate relevant security information from the log files of various systems that are not able to send independently via event relays.

Create a new collector via Add collector. Assign a unique name and a short description. The default setting is that the collector should send logs. If you do not want this, deactivate the function by clicking on the button. Then define a host assignment. Decide here between:

• Reference: Then define at least one host from which the logs are to be recorded.

• or Tags: Then define at least one tag from which to apply.

Finally, define at least one extractor for your log files, create the relevant file paths and add your collector by clicking on the relevant button.

API Collectors

These collectors extract data from connected cloud applications and actively transmit it to the SIEM, expanding the scope of overall data collection.

Create Microsoft Office 365 Collector

1. To connect your Office logs to the Enginsight SIEM, you must first create an API key in your Microsoft Office application. To do this, follow the instructions below.

2. After you have created your key, the permissions under Microsoft Azure must be set as follows:

1. Finally, create a collector in your SIEM. Assign a unique name and a short description for the collector. Then specify whether the collector can send logs. Select a host from the drop-down menu under "Host". Enter one or more "Channels" to be monitored and add the "Tenant ID" and the "Client ID". Once you have finally decided on the "Authentication method" (secret or certificate), you can save the changes you have made and add the collector by clicking on the "Save changes" button.

Confluence (Atlassian) Collector

Go to the Atlassian administration via the administrator account. Click on your abbreviation in the top right-hand corner to select the "Manage account" option in the menu that appears. Now select the "Settings" tab in the navigation bar. Once in the view, you can now easily create a new API key by pressing the button.

Then create a collector in Enginsight SIEM, select the relevant host and enter the corresponding tenant ID. Add the collector by saving your settings.

Bitdefender GravityZone

Bitdefender Configuration

1. Open the settings of your Bitdefender application.

2. Navigate to the menu item “API Key” and activate the “Event Push Service API”.

3. Follow the instructions to create an API key.

Detailed instructions can be found here: Bitdefender Public API Guide.

Configuration in the Enginsight platform

1. Switch to the Enginsight application and call up the menu item: SIEM. Select the API collector Bitdefender GravityZone from the API collector list and click on Add collector in the top right-hand corner.

2. Enter a unique name and a description for your new Bitdefender new collector.

3. The option to send logs by the collector in the Enginsight application is enabled by default and is required to integrate Bitdefender GravityZone logs into your SIEM.

4. Enter the appropriate URL of your Bitdefender application under Endpoint: Global: https://cloud.gravityzone.bitdefender.com Europe: https://cloudgz.gravityzone.bitdefender.com

1. Enter the key previously created in Bitdefender in the corresponding field under API key in the Enginsight application.

2. Under Event types, select the specific events that are to be sent to your SIEM via the collector. All event types are selected by default. If necessary, remove events that are not required from the list.

3. Under Hosts, select the host that is to act as a collector from the drop-down list.

1. The bind address defines the IP address and the port of the host via which it receives the push events from Bitdefender. Make sure that the bind address is configured correctly and that the host is accessible via the network.

2. The option Local "Bind" with HTTPS is deactivated by default. However, it is required if Bitdefender is to send the logs directly to the host.

   1. “Local “Bind” with HTTPS” activated

      1. Activate the button: “Local ‘Bind’ with HTTPS”

      2. Insert a certificate valid for the bind URL.

      3. Enter the private key.

   2. “Local “Bind” with HTTPS” deactivated

      1. Follow the further instructions.

1. The bind URL specifies the full URL (including HTTPS) through which the host receives the encrypted push events from Bitdefender. Make sure that the URL is formatted correctly and that HTTPS is used, as Bitdefender only accepts encrypted connections.

2. If you cannot insert a direct IP or only a certificate for a new domain, please skip the certificate check with the corresponding field. When using self-signed certificates, it is also necessary to skip the certificate check.

3. Enter a user name and password for basic authentication. This authentication is only required by Bitdefender.

4. Save the configuration of the collector by clicking on Add Collector.

Host Collectors

The Host Collectors collect logs directly from the operating system using the already installed agents. This enables seamless data collection that directly accesses existing resources and provides a comprehensive view of system activity.

Create Host Collectors

Assign a relevant name and a short description. Use the button below to specify whether the collector should be able to send logs on its own. Under "Host assignment" you can now specify tags and list all tags below that should count for this collector or you can decide for "Reference" and then specify explicit hosts for which the collector applies.

Create Windows event log collector

Select from the default channels which you want to monitor and add more channels via the button with just a few clicks.

Integrate Exchange Logs

Easily integrate Exchange Logs. To do this, find the log name (via your Windows event viewer) of the channel you want, copy the exact name and add it under "Add Custom Channel".

Create Unified Logs (macOS) collector

Again, select from the default channels at logLevels.de. Please note that unified logs result in a considerable amount of data and we therefore strongly recommend activating Fault by default.

Create Syslog (Linux) Kollektor

Select the “Sysmon” module. This is a Microsoft tool that acts as a wrapper and combines a large number of events that may be irrelevant for further analysis for the SIEM and compresses them into a standardized file format. This significantly optimizes the handling of such logs and enables a faster response. To confirm this step, you must agree to the third-party license terms.

Create Appache httpd collector

By default, the Apache HTTP server writes its logs to local files. However, in order to collect and process the logs efficiently with Pulsar, the logs must be forwarded via syslog. This guide describes how to configure Apache so that the logs are provided in the appropriate format and can be easily parsed.

1. Open the configuration file of the Apache HTTP server with a suitable text editor:

• Debian-based: /etc/apache2/apache2.conf

• RHEL-based: /etc/httpd/conf/httpd.conf

1. Add the following entries or adapt existing ones:

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

• vhost_combined: Contains virtual hosts, referrer and user agent.

• combined: Contains referrer and user agent.

• common: Simplest format, without referrer and user agent.

• referer/agent: Specialized formats for individual fields.

1. GlobalLog for Access Logs:

GlobalLog "|/usr/bin/logger -t httpd -p local0.info" vhost_combined

• httpd: Is used as syslog.app_name (do not change).

• local0.info: Syslog facility and severity for the logs.

• vhost_combined:Log format supported by the parser.

1. ErrorLog for Error logs:

ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M"
LogLevel notice
ErrorLog "|/usr/bin/logger -t httpd -p local0.info"

• LogLevel: Defines the severity levels (e.g. debug, info, notice, warn, error). Recommendation: notice.

1. Save changes Speichern und schließen Sie die Konfigurationsdatei.

2. Apache neu starten Damit die Änderungen wirksam werden, muss der Apache HTTP Server neu gestartet werden:

• Debian-based:

sudo systemctl restart apache2

• RHEL-based:

sudo systemctl restart httpd

1. Check functionality

• Make sure that the logs appear in /var/log/syslog or /var/log/messages, depending on the operating system configuration.

• Check that access logs and error logs are forwarded correctly in the specified format.