Fidelis Certified Connector Configuration Guide

Summary:

The "Common Event Format Configuration Guide" for Fidelis Security Systems' XPS product outlines how to configure the system to send events in CEF (Common Event Format) via syslog on Linux platforms with version 5.1 or later. This guide is intended for users of the Fidelis XPS sensor, which supports this configuration. To set up CEF format for syslog delivery: 1. Log into the Fidelis CommandPost interface and navigate to Reports/Tabular tab. 2. Create a query and schedule it by clicking "Schedule Query" icon. 3. On the Schedule Query screen, select "Query every new alert satisfying Query conditions." radio button, or set up periodic queries for potential duplicates. 4. From the "Deliver via, Format" dropdown menu, choose "Arcsight syslog". In the "To" input box, specify the IP address of the Arcsight syslog server. 5. Click "Update Query Scheduler" to complete the configuration. The document also mentions that multiple events can be posted and provides examples like "Rogue Channel Found: FTP (EventID 390041694378)". Additionally, a technical note titled "Event Interoperability Standard" details the mappings between vendor-specific event definitions and ArcSight data fields. This standardization is important for seamless integration of event data from different vendors into the ArcSight platform, enhancing security operations through effective monitoring, investigation, and response to potential threats.

Details:

The document titled "Common Event Format Configuration Guide" for Fidelis Security Systems' XPS product provides a guide on configuring the system to send events in CEF (Common Event Format) via syslog. It is intended for users of the Fidelis XPS sensor, which supports this configuration on Linux platforms with version 5.1 or later. The XP sensor monitors network traffic and detects security breaches such as information leaks, attacks, and network abuse. The Fidelis XPS CommandPost interface allows exporting events in several formats including Email, Syslog, SNMP, and http-post. This guide specifically focuses on setting up the CEF format for syslog delivery. To configure the system: 1. Log into the Fidelis CommandPost interface and navigate to the Reports/Tablular tab. 2. Create a query and schedule it by clicking the "Schedule Query" icon. 3. On the Schedule Query screen, select the "Query every new alert satisfying Query conditions." radio button. Optionally, you can set up periodic queries which might lead to duplicate alerts. 4. Choose "Arcsight syslog" from the "Deliver via, Format" dropdown menu and specify the IP address of the Arcsight syslog server in the "To" input box. 5. Click Update Query Scheduler to complete the configuration. This guide also mentions that multiple events can be posted, with some examples listed below:

• EventID 390041694378: Rogue Channel Found: FTP

The text provided is a technical note titled "Event Interoperability Standard" which outlines the mappings between vendor-specific event definitions and ArcSight data fields. It details how information from specific vendor events, such as those used by Fidelis Security Systems (CEF prefix), is transferred to ArcSight SmartConnector for mapping to appropriate ArcSight data fields. The table included in the technical note shows the correspondence between various XPS Event Definitions and corresponding ArcSight Event Data Fields. These include device-specific details like Vendor, Product, Version, Signature ID, Name, Severity, Action (compression, policy), Protocol, Sensor information (IP and name), Source and Destination IP/Port, Filename, Timestamp, User, and Alert Detail linkback page. This standardization is crucial for ensuring that event data from different vendors can be seamlessly integrated and analyzed within the ArcSight platform, enhancing overall security operations by allowing more effective monitoring, investigation, and response to potential threats.