Knowledge Base – SGBox Next Generation SIEM & SOAR

SGBox Clipboard

SGBox — Fri, 13 Mar 2026 08:59:12 +0000

Click to open the SGBox Clipboard user guide

6.3.0

SGBox — Thu, 12 Mar 2026 15:02:13 +0000

6.3.0

A new version of SGBox that improve a lot of backend features and performance has been released

Playbooks can now run on remote probes
Playbook can now executes custom script uploaded.
Alarm can now be sent to a remote SOC
Screenshot can now be added to an alarm
Params can now be translated in reports
New reports introduced
Varius Fixes

SGBOX > SCM > Applications > SGBox Updates

Requirements:

SGBox needs to connect to https://registry.sgcloud.it on port 7442

API configuration on Telegram

SGBox — Thu, 05 Mar 2026 14:38:50 +0000

API Key configuration

This articles explain how to configure SGBox to interact with Telegram API in order to send alert messages when a specific event occur.

Requirements:

SGBox version 4.2.4 with the LM and LCE modules.
A Telegram BOT.

There are many tutorial about how to configure a Telegram BOT. We choose @BotFather for our example.
First you need to create your bot and obtain your TOKEN:

A token is something like: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1.
You need also a the chat_id, so: start and say “Hello” to your bot, than retrieve the chat id:

From your browser go to:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/getupdates

Find the ID in the response:

id: 124229696

API Key configuration

Log in to SGBox and download Telegram application:
From SCM > Application > SOAR PREMIUM download and install Telegram application.

Go to PB > Playbooks > Telegram_Alert

Edit Telegram BOT credential

Name fileld: bot_id ( do not change ), ( we can find in the first part of our guide the credentials that need to be entered )

Value: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1

Name fileld: chat_id ( do not change ), ( we can find in the first part of our guide the credentials that need to be entered )

Value: 124229696

Also when we finisched to insert our credential, we can test all and save, close the window

SGBox SOAR Usage

Afetr we need to create an Event/logs queries to connect with the Telegram_Alert’s Playbook, we have to go to LM > Analysis > Event/logs queries

Create new Queries with the blue button on the right

in the select we put the parameters that we are interested in seeing in the future message that will arrive on our Telegram.

On this example we write:

 $HOST as Host, $EVENT as Action, $PARAM:[TargetUserName] as details, $TIMESTAMP as Timestamp

Now set your “FROM” ( The class or classes )

Now i choose the event or events:

Important: we need to verify the proper functioning of our query, NB: before clicking the test button, chech the range time

Now press the button = ” Show Scheduling Options “

put the tick on the flag ” Run Playbook ” and choose our Telegram alert

back to the playbook section

go to format message

same passage as before click on the edit button, in the section text we write the telegrammessage that will come to us once we set :

Telegram Alert

Host: $1

Action: $2 

Details: $3

Timestamp: $4

the values refer to the query we made earlier, to add parameters in the text message click on plus or trash to delete

Save all with the button on the right “save”

Back to Playbook section, search Telegram_Alert and check the status of the playbook on the right side, if it’s green playbook will alert you whenever the event we have indicated will happen

If it’s all correctly, after the login telegram alert me that someone has done a LogonOK

API configuration on OPSWAT

SGBox — Thu, 05 Mar 2026 13:23:23 +0000

Introduction

In this article is explained how to create your OPSWAT API key and how to configure SGBox PB.

API Key configuration

Copy your API Key

SGBox Application configuration

Log in to SGBox and doownload OPSWAT application:
From SCM > Application > SOAR PREMIUM download and install OPSWAT application.

From PB > Playboos edit “[OPSWAT] Authentication“. Edit Credential node and paste your API KEY in value field then click on Save

API configuration on Virus Total

SGBox — Thu, 05 Mar 2026 11:30:35 +0000

Introduction

In this article is explained how to create your Virus Total API key and how to configure SGBox PB.

API Key configuration

Copy your API Key

SGBox Application configuration

Log in to SGBox and doownload Virus Total application:
From SCM > Application > SOAR PREMIUM download and install Virus Total application.

From PB > Playboos edit “[VirusTotal] Authentication“. Edit Credential node and paste your API KEY in value field then click on Save

Syslog configuration on Proxmox

SGBox — Wed, 25 Feb 2026 15:44:15 +0000

Syslog configuration on Proxmox

On linux environment is not necessary to install a specific agent to send log to SGBox. The syslog protocol will be used.
If not already present, install rsyslog packet.

apt-get -y install rsyslog

Create file “20-SGBox.conf” file

vi /etc/rsyslog.d/20-SGBox.conf

Add the following row in order to send only authentication logs. Is possible use the IP or the hostname of SGBox

auth,authpriv.* @SGBox-IP

Alternatively, you can add the following row if you want send all logs to SGBox. It will be useful for a in-depth research.

*.* @SGBox-IP

Restart rsyslog deamon to load the new configuration and start to send logs

service rsyslog restart

Troubleshooting on NVS

Vardo — Thu, 05 Feb 2026 14:24:20 +0000

Table of Contents

Troubleshooting on NVS

In this guide, we show you how to perform debugging: to resolve certain issues that may arise on the NVS module and scan it manages.

Troubleshooting “Hosts Not Alive”

Problem
During the host discovery phase, the service checks if the host to be scanned is up and running in order to avoid wasting time on scanning a dead or unreachable host. The “No Host Alive” message displayed on the screen means the scanner did not find the target to be alive during the Discovery phase of the scan. If the host is not “alive” then the scan will not proceed beyond this point and no assessment will be performed.

Error
Hosts are shown under the “Hosts Not Alive” section of scan results

Cause
To determine if the host is “alive”, the service pings each target host using ICMP, TCP, and UDP probes. The TCP and UDP probes are sent to default ports for common services on each host, such as DNS, TELNET, SMTP, HTTP and SNMP. If any of these probes doesn’t trigger any response from the host, the host is considered as not alive.
The types of probes sent, and the list of ports scanned during host discovery are configurable in the option profile (see Host Discovery on the Additional tab in the profile).

Ports used for host discovery:

TCP SYN packets are sent to these well-known TCP ports: 21, 22, 23, 25, 53, 80, 88, 110, 111, 135, 139, 443, 445.
TCP ACK packet with a source port of 80 and a destination port of 2869
TCP ACK packet with a source port of 25 and a destination port of 12531
TCP SYN-ACK packet with a source port of 80 and a destination port of 41641
UDP packets are sent to the following well-known UDP ports: 53, 111, 135, 137, 161, 500
ICMP ‘Echo Request’ packets

Solution

Ensure that the Qualys scanner is able to reach the concerned target on required ports.
- For external scans, go to Help > About, to see the IP addresses for external scanners to allow.
- Users can run the following command on the endpoint during scan to determine what ports are open on the host at that time: netstat -anp
Enable ICMP to the system, this will allow the system to be discovered alive.
If there are any other ports open on the target, other than those mentioned above, you may add these ports in TCP Ports/UDP ports in Additional tab of the Option Profile.
You can choose to scan “dead” hosts through your scan options in the option profile (see Scan Dead Hosts on the Scan tab in the option profile), but this may increase scan time and is not suggested for Class C or larger networks.

Syslog configuration on Cynet

Vardo — Wed, 28 Jan 2026 08:40:50 +0000

Cynet – SGBox SIEM Integration Guide

Configure Cynet to send syslog notifications to a remote Syslog.

On your Cynet web interface, go to Setting > Advanced.
Select the box beside Send Audit Records to SIEM.
Go to Configuration > SIEM settings and enable the following configuration:

– TCP
– IP – public IP address of your syslog server
– Port – port that is configured on your syslog server. We use 6514 tcp.
Press Add. The added IP and port will appear on the screen.

NOTE: These instructions are based on official guide provided by the vendor. but for let work the integration with SGBox ensure that the configuration matches what is specified below

– Communication protocols is TCP
– Port is 6514
– Public IP address of your syslog server is correct one.

For further SGBox support requests, please open a ticket on the ticket portal.

Troubleshooting on Collector 6

Vardo — Mon, 26 Jan 2026 11:43:50 +0000

Table of Contents

Troubleshooting on Collector 6

In this guide, we show you how to perform debugging: to quickly check if the collector has all the main processes active for correct communication with the Host or SGBox appliance.

Docker and containers

Collector 6 introduces the use of docker and containers, to activate them correctly, it is necessary do port forwarding on the firewall. For more details, see: SGBox and Collector network requirements

after opening the Internet connection to our public registry address. You can debug using the CLI tool: to verify that the collector has correctly activated all key containers.

Connect to the Collector appliance via SSH (using Putty,Terminal or console), specifying the user CLI and the password you saved for it.
Go under System > Process Handling > Services status > SGBox Containers
Check if there are 4 active containers. See the image below for an example showing active containers.

Containers are Active: this means that your Collector is ready to be used.
Containers are not Active: this means that something went wrong during network configuration or port opening. We suggest following the Network debugging guide.

Network debugging

You can perform network debugging using the CLI tool.
Connect to the Collector appliance via SSH (using Putty,Terminal or console), specifying the user CLI and the password you saved for it.
Go under Network Configuration > Connect to port

For example, let’s check if Collector reaches our registry. You can specify IPv4 or FQDN and Port.

The result may be Server is Responding or Cannot connect to the server.

If the result is Cannot connect to the server, we recommend checking that the firewall managing the network is not blocking communication. For more details, see: SGBox and Collector network requirements or provide the results obtained from debugging to SGBox Support for further assistance.

Dump network traffic

You can use the CLI tool to check if there are any problems with receiving data from the Hosts.
Connect to the Collector appliance via SSH (using Putty,Terminal or console), specifying the user CLI and the password you saved for it.
Go under Stats > Dump network traffic

Filter by IP: simple filter on data source IP all ports and protocols
Filter SGBox ports: simple filter on ports 514 and 443 from all the data source
Expert: you can enter all the tcpdump parameters.

For example, let’s use the Filter by IP option to check if the collector receives the log from the Host.

If the host sends logs to the collector, then you should see traffic passing through, as in the example above.
If you do not see any traffic passing through, double-check that you have correctly configured the source to send logs, or check that there are no firewall blocks between the source and the collector.

6.2.5

SGBox — Wed, 21 Jan 2026 15:45:33 +0000

6.2.5

A new version of SGBox that improve a lot of backend features and performance has been released

SGBOX > SCM > Applications > SGBox Updates

SCM: different dashboards can now be opened simultaneously in tabs
LM: CSV export added in query builder page and class/pattern analysis detail view
LM: Syslog now supports log forwarding. Syslog forwarding can be enabled via an on-demand application
NVS: PDF reports now list also "not alive" hosts
Various fixes