Cato Network – SGBox SIEM Integration Guide

This guide explains how to set up the configuration that allows SGBox to make API calls to the Cato Network service in order to collect events in SIEM and will help you analyze events generated by activities related to Network, Security, Sockets, Cato Clients, and more.

To complete the tasks outlined in this guide, the requirements are:

• Generating an API Key and obtain your Account ID from Cato Networks.
• Configure SGBox Playbooks for Cato Network

Generating an API Key

To generate an API key:

1. In the navigation menu, click Resources > API Keys.
2. Click New. The Create API Key panel opens.
   1. 

3. Enter a Key Name.

4. Select the API Permission for this key.

5. (Optional) Select a date that the API key Expires at.

6. (Optional) For additional security, in Allow access from IPs, select Specific IP list, and define the IP addresses or IP range that are allowed to use this API key.

   The default setting is to allow this API key for Any IP address.

7. Click Apply. The API key is added and a popup window containing the new API key is displayed.

8. Click  (Copy) and copy the API Key that is generated by the Cato Management Application and save it to a secure location.

   Once you close this window, you can’t access the value for the API key.

9. Click OK to close the pop-up window.

Enabling eventsFeed for Your Account

Use the API Access Management window to enable your account to send events to the Cato API server. After you enable eventsFeed, wait about 30 minutes for the API server to collect enough events to return data for the query.

To enable eventsFeed for your account:

1. In the navigation pane, select Administration > API & Integrations and click the Events Integration tab.
2. Select Enable integration with Cato events. Your account starts sending events to the Cato API server.

Obtain Your Account ID from Cato Networks

Account ID Location:

Log in to your Cato Networks Editors Account.

• The Account ID is found within the Cato Management Application. Specifically by navigating to Account > Account Info.
• Also it is shown within the URL of the Cato account when logged in.
  • For example, if your Account ID is “1234” then the URL should look like: https://sgbox.catonetworks.com/#!/1234/topology

Configure SGBox Playbooks for Cato Networks

Add Custom Host

You must define a Host in SGBox to make sure that the logs collected from CATO will be written into the SIEM, to achieve or analyze them.

• Go to SCM > Network > Host list
• Click the button ➕ New Host
• Insert “CatoNetwork” in the Host field and Save the new host

Cato Network Package Installation

It is also necessary to install a Cato network package in SGBox to deploy on the SIEM configuration used to obtain or analyze CATO events.

• Go to SCM > Applications > Packages and download the package named “Cato Network” by click the button Install
• During the Installation of the package in the field Select the hosts the package will be associated with choose “CatoNetwork” previously defined in the Host list.

• Click Install to finish the installation

Cato Network PB Configurations

• Go to SCM > PB > Playbook and edit [Cato] Network Get RawLogs
• Edit node called [SET] Credentials Parameters and insert API key and Account ID obtained from CATO, save the changes on node by click Save button.

• Edit node called [WRITE] RawLog and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes on node by click Save button.

• To save all changes and exit the [Cato] Network Get RawLogs playbook, click the Save button.

• Schedule the [Cato] Network Get RawLogs PB by clicking the button with the clock icon 🕓 , set an appropriate time interval (not less than 5 minutes), save the change, to run Playbook, click the Execute button and choose Background run.

If the API connection between Cato Network and SGBox is working, a Green 🟢 icon will appear on the Status column and in the Host list for CatoNetwork hosts on the Last Log column will start showing the timestamp of the last data received from CATO in SGBox.

Notes, to check the availability of data collected by SGBox you can also refer to the Historical search page: https://www.sgbox.eu/en/knowledge-base/historical-search/

In case the execution of PB gives an error, a Red icon 🔴 will be shown, In this case the advice is to better check the configuration part to make sure that there are no errors in the input of the parameters needed for the API connection, or, In case of further problems you can open a ticket to SGBox Support via ticketing portal: https://sgboxportal.sgbox.it/portal/en/signin

Analyzing collected data 

Go to LM > Configuration > Mapping > edit mapping called [Cato] Network and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes by click OK button, Confirm.

In this way, SGBox will begin to analyze the events it has collected, which will be searchable from the SGBox analysis pages (Class/Pattern analysis, Custom Report List, Dashboard).

Qualys scan – with Windows authentication

This article describes how to configure Qualys Probe to monitor and perform vulnerability assessments on Windows servers with authentication.

Getting started

Using host authentication (trusted scanning) allows our service to log in to each target system during scanning. For this reason we can perform in depth security assessment and get better visibility into each system’s security posture. Running authenticated scans gives you the most accurate scan results with fewer false positives.

Do I have to use authentication?

For vulnerability scans, authentication is optional but recommended. For compliance scans, authentication is required.

Are my credentials safe?

Credentials are securely handled by the service and are only used for the duration of the scan.

In most cases, we do not modify or write to the device unless the user enables optional scan features Dissolvable Agent and Agentless Tracking and accepts the agreement regarding terms of use.

Dissolvable Agent: When enabled, we write the dissolvable agent file to the device and remove it when the scan is finished.
Agentless Tracking: When enabled, we write a host ID file to the device at the time of the first scan. Note – the Manager primary contact for the subscription can do a cleanup action to remove the host ID file from hosts at any time.
Cleanup Issues: In rare cases, if a scan terminates before cleaning up temporary files or the dissolvable agent, the files may persist. This generally should not occur.

Our security service uses credentials at the scan time to log in with elevated privileges and read security information from the target. Using the information collected, the scanner runs the largest number of security tests, checking the most settings and configurations. You’ll see this information gathered as part of your scan reports.

Which technologies are supported?

For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article: Authentication Technologies Matrix

What login credentials are required? – Windows Clients and Servers

For VM: Administrator privileges are recommended for the most accurate security assessment and recommended fixes for your system.

For PC/SCA: Administrator privileges (Build-in administrator or ‘Domain Admins’ groups member account) are required. The administrator privileges are required in order for the compliance scan engine to validate settings on the operating system.

Using an account with administrator privileges allows us to collect information based on registry keys, administrative file shares (such as C$) and running services. For VM, it’s possible to use an account with less than administrator rights, however this limits scanning to fewer checks and scans will return less accurate, less complete results.

Windows uses an ACL-based approach. Each object (file, registry key) can have it’s own ACL listing the accounts that have specific types of access (read, write, etc.) to that object. We must have access to a few objects or authentication will fail, including “IPC%$” pipe, the registry API and others. Missing access rights will simply cause the corresponding vulnerability checks (QIDs) and compliance checks (controls) to fail. Most security checks require access to multiple objects and the detailed list can vary depending on operating system version, patch level, configuration settings, etc. The only way to know whether access is sufficient is by running a scan and reviewing the reported access failures.

Windows Domain Controllers

Only Domain Administrator accounts can be used to scan Domain Controllers. We suggest you create a domain account to be used for authentication and add the account to the Domain Administrators Group. There are certain Group Policy settings that we recommend as best practice for scanning Windows systems. See Windows Domain Account Setup to learn more.

If you have any security concerns running scans on Domain Controllers with Domain Administrator privileges, consider using Qualys Cloud Agent. To learn more about Cloud Agent, see the Qualys Cloud Agent Getting Started Guide.

What Authentication Schemes are used?

Our service will attempt to use authentication schemes on the target host from the most secure scheme to the least secure scheme. We support the following authentication schemes, from highest to lowest:

1. Kerberos with AES-128/256
2. Kerberos with RC4-128
3. NTLMv2
4. NTLMv1 (disabled by default, and you can enable it within a Windows authentication record)

Windows Domain Account Setup

This section describes how to create a domain account for authentication, how to add this account to the Domain Administrators Group, and how to set group policy settings. It is recommended that you verify the functionality of the account before using it for trusted scanning. If possible, configure the user account so that the password does not expire.

Create an Administrator Account

1. Log into the Domain Controller with an account that has administrator rights.
2. Open the Active Directory Users and Computers MMC snap-in.
3. Create a new user called “qualys_scanner” (or something similar). Please do not use “qualys” as this account is reserved for use by Qualys and may get locked out during scanning.
4. Select the “qualys_scanner” user and go to Properties (Action > Properties).
5. In the Properties window, go to the “Member Of” tab. Click Add to add the “qualys_scanner” user to the “Domain Admins” group. Click OK to save the change.

Group Policy Settings

Best practice Group Policy settings for authenticated scanning of Windows systems are described below. Please consult your network administrator before making changes to Group Policy as changes may have an adverse impact on your network operations, depending on your network configuration and security policies in place. Note that detailed descriptions for many Group Policy settings listed below is available online when using the Group Policy Editor.

Important! We highly recommended that you discuss making changes to Group Policy with your network administrator before implementation, as your local network configuration may depend on certain settings being in place. Qualys does not verify that these settings are appropriate for your network. If you do make any Group Policy changes, it may take several hours before the changes take effect on the client.

Security Options

Computer Configuration > Windows Settings ?> Security Settings > Local Policies > Security Options

• Network access: Sharing and security model for local accounts > Classic
• Accounts: Guest account status > Disabled (recommended)
• Network access: Let Everyone permissions apply to anonymous users > Disabled (recommended)

System Services

Computer Configuration > Windows Settings > Security Settings > System Services

• Remote registry > Automatic
• Server > Automatic 
• Windows Firewall > Automatic

Administrative Templates

Computer Configuration > Administrator Templates > Network > Network Connections > Windows Firewall > Domain Profile

• Windows Firewall: Protect all network connections > Disabled (recommended) or Enabled. Your network administrator should decide on the best option for your environment. If Enabled, 3 settings are required (below).
• Windows Firewall: Allow remote administration exception > Enabled (1)
• Windows Firewall: Allow file and printer sharing exception >  Enabled (1)
• Windows Firewall: Allow ICMP exceptions > Enabled (2)

(1) In the “Allows unsolicited messages from” field, enter “*” (do not enter quotes) or the IP address assigned to your scanner appliance(s). (2) This is optional for a vulnerability scan, and required for a compliance scan.

Verify Functionality of the New Account (recommended)

After configuring group policy settings, we recommend you verify the functionality of your new Windows domain account to confirm it is suitable for Windows authenticated scanning.

Select Run from the Start menu and enter cmd.exe and click OK. Use the commands below to test administrative share access and registry access. Variables are enclosed in <>. You need to replace variables with appropriate values. For example replace <USER> with a username like jsmith (i.e. remove the brackets).

Run this command to test administrative share access:

net use Z: \<IP ADDRESS>C$ /PERSISTENT:no /USER:<DOMAIN><USER>

Run this command to test registry access:

runas /USER:<DOMAIN><USER> "cmd /k reg.exe query \<IP
ADDRESS>HKLMSoftware"

Note: There’s a space after “query” and before \<IP ADDRESS

WMI Service Configuration

Some of our compliance checks require secure access to WMI service to successfully perform compliance assessment. For this reason we recommend you to set the WMI service to run securely by increasing the authentication level to Packet Privacy.

We require high authentication level to scan the following namespaces and associated controls:

Namespace: rootcimv2securitymicrosofttpm
CID 11279 – Status of the ‘Trusted Platform Module (TPM)’ (Activated) on Windows
CID 11287 – Status of the ‘Trusted Platform Module (TPM)’ (Enabled) on Windows
CID 11288 – Status of the ‘Trusted Platform Module (TPM)’ (Owned) on Win

Namespace: rootCIMV2TerminalServices
CID 11478 – Current list of Groups and User Accounts granted the Remote Desktop Connection privilege

How to increase WMI authentication level

You need to run the following command on each host that you’ll scan for the above mentioned namespaces and controls.

winmgmt /standalonehost 6

Then restart the Winmgmt service

net stop winmgmt
net start winmgmt

For information on authentication levels see https://msdn.microsoft.com/enus/library/aa393972(v=vs.85).aspx

What happens when high level authentication is not provided?

You may see Insufficient Privileges or WMI query failures when scanning namespaces and controls that require high level authentication.

Sample error from Windows Authentication Report

Manage Authentication Records (Steps for authenticated scans)

Once you have created the user on Windows Server for use with Qualys, please open a ticket with SGBox support via the ticketing portal, with the ticket subject Qualys scan – with Windows authentication, Please provide the following information in your ticket:

1. Username of the account created for Qualys Scan.
2. Domain name of the server where the account was created for Qualys Scan.
3. IP address of the server that must be scanned.

Note: You must wait for SGBox Support, once it has received the ticket and taken charge of it, to confirm that it has correctly activated the configuration necessary for the next steps > Configure SGBox for the vulnerability assessments.

Configure SGBox for the vulnerability assessments

If you are already using SGBox to perform vulnerability scans, then simply go to SCM > Network > Assets.

1. Create a new asset named “Qualys scan – with Windows authentication” (Optional) and group the Windows hosts that will be subject to VA within it.
2. Assign in to the asset “Network Vulnerability Scanner” module.
3. Assign in to the asset “User” that must see the asset.
4. Assign in to the asset the policy named “AuthenticatedScan ALL (default)”.
5. Save your changes.

If this is the first time you are configuring Qualys Probe on SGBox, please follow the guide below for the configuration part: Configure a Qualys probe for SGBox