Damballa CSP Certified CEF Configuration Guide-04 25 2011

Summary:

The "Common Event Format Configuration Guide" for Damballa's Communication Service Provider (CSP) is a guide designed to assist users in configuring the Damballa CSP Connector for syslog event collection, specifically tailored for ArcSight. This connector supports Windows, Linux, and Solaris platforms, with a focus on version 1.6+. The primary function of Damballa® CSP is to identify malicious activity originating from subscribers' devices within a Communication Service Provider’s network by isolating and terminating threats such as botnets or advanced malware using CnC mechanisms. The configuration process for integrating Damballa CSP with ArcSight involves several steps, including logging into the Damballa CSP Collector Quick Install Menu, navigating to the ArcSight Configuration section, answering prompts about sending events to ArcSight, providing the IP address or hostname of the ArcSight ESM (Extensible Security Module), and setting a port number for event transmission. The connector generates CEF events when Damballa CSP detects evidence of a subscriber IP making a DNS query for a CnC domain, including details about the threat and forensic information captured by Damballa. These events are designed to be compatible with ArcSight systems, enhancing security operations through standardized event format. The article discusses the integration between Damballa's CSP and ArcSight's ESM, focusing on how vendor-specific event definitions are mapped to ArcSight data fields via the SmartConnector. It provides details about the format of syslog events being sent from Damballa CSP to ArcSight, including a sample CEF event. The various data fields included in these events and their descriptions are: - CEF Version (Integer): Indicates the version of ArcSight CEF format being used, which is 0 in this case. - Device Vendor (String) and Device Product (String): Identify Damballa as the vendor and SP Solution as the product. - Device Version (String): The version number of the CSP solution, 1.5 in this instance. - Signature ID (String): A unique identifier for the botnet that provides a tie to relevant content from Damballa CSP. - cnt (Integer): Counts the number of queries; it ties back to the Damballa CSP Activity report via "lookup_count". - Severity (Integer): Reflects the severity score of the threat or botnet, corresponding with the Damballa CSP Threat report's "global_severity_score". - cat (String): Specifies the type of event such as DNSQuery. - start (TimeStamp) and end (TimeStamp): Provide timestamps for the period during which queries were observed. These are either in a readable date format or milliseconds since epoch, tying back to Damballa CSP Activity reports via "first_seen" and "last_seen". This integration demonstrates how detailed event mappings can facilitate comprehensive threat analysis by leveraging standardized data formats across different security tools for better correlation and response capabilities. The document also describes various fields used in a report related to CSP (Cloud Security Platform) activity from Damballa, which involves tracking communication between subscribers' IP addresses and Command and Control (CnC) servers. These fields include details such as the source IPv4 address, destination DNS domain, threat name, industry name, group name, port start, and sensor name. These fields help in identifying compromised subscriber IPs attempting to communicate with CnC servers. The report uses specific field labels like "client_IP" for the IP address of the querying subscriber, "domain" for the CnC domain name, "operator_name" and "industry_name" for threat-specific information, and port numbers from assigned source port blocks. The sensor name is captured as "dvchost."

Details:

The document titled "Common Event Format Configuration Guide" for Damballa's CSP (Communication Service Provider) is designed to guide users through configuring the Damballa CSP Connector for syslog event collection, specifically tailored for ArcSight. This connector supports Windows, Linux, and Solaris platforms, with a focus on version 1.6+. The primary function of Damballa® CSP as described in the document is to identify malicious activity originating from subscribers' devices within a Communication Service Provider’s network. It isolates and terminates any online threats such as botnets or advanced malware that use network-based Command and Control (CnC) mechanisms to connect compromised systems into a clandestine malicious network. The configuration process for integrating Damballa CSP with ArcSight is straightforward, outlined in the document: 1. Logon to the Damballa CSP Collector Quick Install Menu and navigate to the ArcSight Configuration section. Follow onscreen prompts for each step. 2. Answer "Y" or "N" to the question: “Do you want to send events to ArcSight?” 3. Enter the IP address or hostname of the ArcSight ESM (Extensible Security Module). 4. Provide the destination and source port numbers, with example values given as 514. 5. Set a minute interval between 5 and 60 minutes for event transmission to the ArcSight ESM. The connector generates CEF events when Damballa CSP detects evidence of a subscriber IP making a DNS query for a CnC domain, including details about the threat and forensic information captured by Damballa. These events are designed to be compatible with ArcSight systems, enhancing security operations through standardized event format. The article discusses the integration between Damballa's CSP and ArcSight's ESM, focusing on how vendor-specific event definitions are mapped to ArcSight data fields via the SmartConnector. It provides details about the format of syslog events being sent from Damballa CSP to ArcSight, including a sample CEF event: "CEF:0|Damballa|SP Solution|1.5|1|classified_domain|10|cat=DNSQuery cnt=2 cs1=Damballa Test cs1Label=ThreatName cs2=Damballa Test Industry cs2Label=IndustryName destinationDnsDomain=test.damballa.com dvchost=sensor1 end=1300194678000 src=1.2.3.4 start=1300192878000". The article lists the various data fields included in these events and their descriptions:

• CEF Version (Integer): Indicates the version of ArcSight CEF format being used, which is 0 in this case.

• Device Vendor (String) and Device Product (String): Identify Damballa as the vendor and SP Solution as the product.

• Device Version (String): The version number of the CSP solution, 1.5 in this instance.

• Signature ID (String): A unique identifier for the botnet that provides a tie to relevant content from Damballa CSP.

• cnt (Integer): Counts the number of queries; it ties back to the Damballa CSP Activity report via "lookup_count".

• Severity (Integer): Reflects the severity score of the threat or botnet, corresponding with the Damballa CSP Threat report's "global_severity_score".

• cat (String): Specifies the type of event such as DNSQuery.

• start (TimeStamp) and end (TimeStamp): Provide timestamps for the period during which queries were observed. These are either in a readable date format or milliseconds since epoch, tying back to Damballa CSP Activity reports via "first_seen" and "last_seen".

This integration demonstrates how detailed event mappings can facilitate comprehensive threat analysis by leveraging standardized data formats across different security tools for better correlation and response capabilities. This document describes various fields used in a report related to CSP (Cloud Security Platform) activity from Damballa, which involves tracking communication between subscribers' IP addresses and Command and Control (CnC) servers. The fields include details such as the source IPv4 address, destination DNS domain, threat name, industry name, group name, port start, and sensor name. These fields help in identifying compromised subscriber IPs attempting to communicate with CnC servers. The report uses specific field labels like "client_IP" for the IP address of the querying subscriber, "domain" for the CnC domain name, "operator_name" and "industry_name" for threat-specific information, and port numbers from assigned source port blocks. The sensor name is captured as "dvchost." The report focuses on mapping suspicious or compromised subscriber IPs that are trying to engage in communication with CnC servers. These events are typically processed by ArcSight for analysis, where the asset information (IP/hostname/mac address) will be present in corresponding target fields after processing. The main purpose is to identify and track threats related to CSP activities involving CnC communications.