Secerno CEF Certified Configuration Guide

Summary:

The "Common Event Format Configuration Guide for Secerno DataWall" is a guide to setting up the Secerno DataWall appliance to collect syslog events, particularly SQL traffic and alerts. It involves configuring the appliance to send log output in CEF format to an ArcSight server. Key steps include enabling event forwarding, specifying the ArcSight server's IP address or hostname with TCP/UDP protocol, selecting relevant syslog categories based on alert types, setting a maximum message length, and applying these settings. The document covers various events managed by Secerno DataWall such as heartbeat messages, property change alerts, database audit logs, statement alerts (including Web Application Firewalls), login/logout alerts, and system messages. Each event type has a unique signature ID that maps to predefined strings or severity levels. The configuration process includes screen shots and clarifies how vendor-specific events are mapped to ArcSight data fields. This document also describes the structure of database responses captured in an event log using specific fields labeled with vendor-specific codes, including information such as policy name (cs1), request method (requestMethod), referring URL (requestContext), user agent (requestClientApplication), and IP address of the originating web client (sourceTranslatedAddress). The database type is identified by SECERNO numbers: 4, 7, 8, 9, 10, and 11, which correspond to different event types or actions related to database interactions. These codes map to specific details such as property value, full HTTP requests including cookies and method type, connection strings for databases, execution results, database response codes, and counters indicating various actions like new, modified, deleted, or unchanged.

Details:

The "Common Event Format Configuration Guide for Secerno DataWall" provides a detailed guide to setting up the Secerno DataWall appliance for syslog event collection, specifically targeting SQL traffic and generated alerts. The document outlines steps for configuring the appliance to send log output in CEF format to an ArcSight server. Key configurations include enabling event forwarding, specifying the ArcSight server's IP address or hostname with optional TCP/UDP protocol choice, selecting relevant syslog categories based on alert types, setting a maximum message length, and applying these settings. The document also details specific events managed by Secerno DataWall, such as heartbeat messages, property change alerts, database audit logs, statement alerts (including those for Web Application Firewalls), login/logout alerts, and system messages capturing OS-level alerts. Each event type has a unique signature ID that maps to predefined strings or severity levels. The guide also includes screen shots of the configuration process and clarifies how vendor-specific events are mapped to ArcSight data fields. The mappings include details such as management IP address, timestamp, category, name, property change information, and more, depending on the specific event type. This mapping ensures interoperability between the Secerno DataWall appliance and ArcSight systems by facilitating the transfer of detailed information in a standardized format (CEF) for analysis and reporting within the SIEM framework. This document describes the structure of a database response captured in an event log, using specific fields labeled with vendor-specific codes. The database response details include information such as the policy name (cs1), request method (requestMethod), referring URL (requestContext), user agent (requestClientApplication), and IP address of the originating web client (sourceTranslatedAddress). The database type is identified by various SECERNO numbers: 4, 7, 8, 9, 10, and 11. These codes correspond to specific events or actions related to the database interaction:

• SECERNO:4 provides a fixed string "Property value".

• SECERNO:7 captures full HTTP requests including details like cookies (requestCookies) and method type (requestMethod).

• SECERNO:8 supplies connection strings for databases.

• SECERNO:9, 10, and 11 handle different types of database interactions such as execution results ("Execution result"), database response codes ("Database response code"), and may include counters indicating actions like "New" (flexNumber2), "Modified", "Deleted" (cn2), and "Unchanged" (cn3).

The data is labeled with terms like cs1Label for policy name, cn2Label for deleted counter, and so on. This standardized format helps in tracking specific details of database interactions consistently across different events or systems, providing detailed information necessary for troubleshooting and analysis in system operations and cybersecurity management.