Knowledge Base – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Wed, 10 Jun 2026 10:46:29 +0000 en-US hourly 1 https://wordpress.org/?v=7.0 https://www.sgbox.eu/wp-content/uploads/2025/02/cropped-SGBox-symbol-png-32x32.webp Knowledge Base – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 6.4.0 https://www.sgbox.eu/en/knowledge-base/releases-en/6-x/6-4/6-4-0/ Wed, 10 Jun 2026 10:37:25 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=38794

6.4.0

A new version of SGBox that improve a lot of backend features and performance has been released

  • ADE - ability to collect data using a remote probe (collector)
  • ADE - interface restyling
  • ADE - backend refactoring for performance improvement

TO UPDATE SGBOX ->
SCM > Applications > SGBox Updates
Knowledge Base
]]> 6.3.2 https://www.sgbox.eu/en/knowledge-base/releases-en/6-x/6-3/6-3-2/ Wed, 10 Jun 2026 09:03:37 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=38785

6.3.2

A new version of SGBox that improve a lot of backend features and performance has been released

  • Varius Fixes

TO UPDATE SGBOX ->
SCM > Applications > SGBox Updates
Knowledge Base
]]> Online logs manager https://www.sgbox.eu/en/knowledge-base/lm-log-management-en/configuration/online-logs-manager/ Thu, 28 May 2026 09:26:41 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=38659

The Online Log Manager

This guide explains how to import encrypted raw logs saved on the SGBox disk online, in order to analyze them from the Historical Search page.

Online Log Manager

LM -> Configuration -> Online Log Manager: this interface allows you to view, for each host, the number of encrypted logs stored on SGBox and the number of “online” logs stored (i.e., those present in the database and searchable via historical search). For one or more hosts, it allows you to transfer logs from encrypted to online status, making them visible in the historical search.

  1. Select the sources from which you want to restore the logs online for the historical search (e.g., 172.0.0.1).
  2. Select the desired time range.
  3. Select the sources by checking the corresponding box (flag).
  4. Click the “Transfer selected” button to start transferring the logs online.

Once this step is complete, the system will load the encrypted raw logs into the “Historical Search” section, making them available for consultation
Knowledge Base

Important Note: By default, the advanced options include an active service called “Retains online raw logs of the last N days”, which archives logs in the historical search that are older than 30 days every day at 00:00. Therefore, before importing logs online, it is recommended to temporarily disable this service for the duration of your consultation to prevent them from being automatically re-archived.
Knowledge Base

⚠️ Warning: > Please note that when SGBox writes encrypted logs to the disk, they are compressed. This feature allows logs to be kept for the required retention period. Without it, managing and saving the traffic received from sources would be impossible, as it would require significantly more disk space on the appliance.
Using the Online Log Manager feature to bring archived and encrypted logs back online (for consultation via historical search) involves decompressing the files. As a result, a copy of the logs is imported which, in uncompressed format, can occupy up to 10 times the space of the compressed format.

]]> Syslog Forwarder https://www.sgbox.eu/en/knowledge-base/lm-log-management-en/configuration/syslog-forwarder/ Thu, 07 May 2026 13:23:24 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=38291

Purpose of the syslog forwarder

The purpose of the Syslog Forwarder feature in SGBox is not merely log duplication, but the intelligent filtering and selective redistribution of security data.

The primary purposes are

  1. Centralization and Archiving (Compliance): Sending only critical or relevant logs to a long-term log server (e.g., a dedicated archive) to meet compliance requirements, reducing bandwidth and storage load by avoiding the transmission of “noisy” (informative/irrelevant) logs.
  2. Real-time Alerting and Notification: Forwarding specific alert events (identified via the Filter field) to dedicated incident response systems or monitoring dashboards, enabling a faster incident response.
  3. Noise Reduction: Acting as an “intelligent filter” between the network and another analysis system. Instead of flooding another server with millions of logs, SGBox analyzes the traffic and forwards only what is semantically important, thereby optimizing network and computing resources.

Installing the Syslog Forwarder Application

  • Go to SCM > Applications > Tools > search for Syslog Forwarder and click the button Install (Download and install).
    Knowledge Base
  • Once the Syslog Forwarder app is installed, a new page named Syslog Forward will appear under the Log Management > Configuration module
    Knowledge Base

Analysis of Key Points

The interface is divided into three main logical areas:

A. Configuration Area (Top Section)
This is the section where the user defines the parameters for the new forwarding rule. The fields present are:

  • Name & Description: These allow for the identification and documentation of the rule
  • Host & Port: These define the destination. The user specifies the IP address or hostname and the port (e.g., 514) to which the logs should be sent. Note that only TCP protocol is supported for reliability.
  • Type: Indicates type of this rule. Type can be “Allow” or “Block”
  • Filter (The core of the function): This is a text area where the user defines the selection criteria. Not all traffic is forwarded; only logs that meet specific parameters (e.g., logs originating from a certain IP or containing a specific error string) are forwarded or blocked.

B. Available Source List – “Hosts” (Bottom Left)
This table displays the sources of the data currently being monitored by the SGBox system. This list serves as a “database” from which the user can pull data sources on which forwarding rule filters will be applied.

C. Involved Source list Area (Bottom Right)
This list shows the data sources to which the rule we are defining will be applied.

How to define a log forwarding rule

In addition to identifying a target, the Host and Port fields allow you to decide which logs to send. Remember that only TCP protocol is supported for reliability purposes.
The “Filter” field is a free text field where the user can define regular expressions. This text allows for multiple regular expressions, one per line. These will be processed as “or” by the forwarding backend.

Here a few examples

  • If the data source of interest is a firewall and you want to delete all dropped connections recorded by the firewall, you will need to select the “Block” type and insert the string “drop” into the text (assuming, of course, that the firewall identifies with the word “drop” as a blocked connection).

This way, only lines that do NOT MATCH “drop” will be forwarded to the destination syslog or, if you prefer, all the lines containing the “drop” word will be blocked.
The “drop” string entered in the “Filter” field is a simple regular expression. More complex regular expressions can also be used; for example, “d.rop” would produce the same result. Please refer to

  • Conversely, if we enter the string “drop” in the “Filter” field but select the “Allow” type, SGBox will forward ONLY the lines containing the string “drop,” discarding all others.

  • If we want to exclude lines containing “drop” and those containing “1.2.3.4,” we can do in 2 different ways
    1. We can specify this regular expression in the “Filter” field: drop|1.2.3.4
    2. We can alternatively write “drop” in the first line of the filter and “1.2.3.4” in the second. SGBox will then understand that it should exclude lines containing “drop” or “1.2.3.4”

  • The simplest scenario is the following: I want to forward ALL traffic from the data source 192.168.1.1 to the remote syslog. To achieve this, I should select “Allow” as the type and write “.” (dot) in the filter field. “.” This is the simplest regular expression that matches any string. The result is that any log line from 192.168.1.1 will match “.” and be forwarded to the remote syslog.

Warning: The syslog forwarder function does not know the meaning of the logs it is forwarding and will simply apply the rules.

How to Apply a Forwarding Rule

When a rule is saved, it is automatically applied. It is possible to create multiple rules that operate on the same hosts, but this technique requires special care.

Suppose we receive a line like

firewall drop from 1.2.3.4

If a “Block” rule is created on a data source for the lines containing the string “drop,” that rule will prevent the forwarding of the example line.
However, if an “Allow” rule is subsequently created that allows the forwarding of logs containing “1.2.3.4” from the same data source, the line we wanted to block with the previous rule will now be forwarded.
Even if SGBox’s forwarding rule creation mechanism resembles that of firewall rules, it does not operate in the same way. All rules are applied to log lines, which may or may not be blocked.

For this reason, although it is possible, we recommend avoiding applying multiple rules to the same data sources to avoid unexpected results. Since it is possible to specify multiple regular expressions in a single rule, we recommend choosing this approach.

]]> API configuration on MISP https://www.sgbox.eu/en/knowledge-base/soar/api-configuration-on-misp/ Mon, 04 May 2026 15:51:00 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=37536

API configuration on MISP

This guide describes the installation and configuration of the MISP integration for SGBox. It enables users to make API calls, download feeds into SGBox, and perform cross-analyses between SGBox events and MISP data.

Enable integration with MISP

Generating an API Key

Access the MISP web interface as an administrator and go to User > Profile > Add authentication key.

  • Set required parameter to generate an API key; user, comment (optional), Allowed IPs, Expiration of API.Knowledge Base

Installing the MISP package

Go to SCM > Applications > SOAR Premium > search for MISP and click the button Install (Download and install).
Knowledge Base

Configure MISP playbooks

Go to PB > Playbooks and modify the Playbook named “MISP Authentication”

  1. Edit the “Set variables” node by entering the MISP IP address into the host field. Click the Save button to save the changes to the node.
  2. Edit the “Generic credentials” node by entering the API key generated in the “Generating an API Key” section. Click the Save button to save the changes to the node.
  3. To save all changes and exit the [MISP Authentication playbook, click the Save button..
    Knowledge Base

On every PB Subflow

  • MISP Add DST IP to SGBox list
  • MISP Add SRC IP to SGBox list
  • MISP Check IP on MISP

You must edit a node called Set variables and in the field Host insert MISP IP address, save the changes on the node by clicking the Save button.
Knowledge Base

Using MISP integration in SGBox for data analysis

Once the MISP playbooks are configured and communication is established, these nodes can be used to download feeds from MISP into SGBox, or, perform cross-analyses between SGBox events and MISP data. See detail below.

Playbooks of MISP and Utility 

Name

Description

MISP Authentication

Main MISP playbook for API authentication

MISP Add SRC IP to SGBox list

This playbook enables the import of the MISP SRC IP list into SGBox lists.

MISP Add DST IP to SGBox list

This playbook enables the import of the MISP DST IP list into SGBox lists.

MISP Check IP on MISP

Use this playbook to query MISP from the SGBox Dashboard or Class/Pattern analysis and verify if selected values (Source-IP/Destination-IP) exist in the MISP database.

Import MISP feeds into SGBox

  1. GO to SCM > Actions > Lists > Feeds.
  2. Click the button ➕ New Feed.
    Fill in the Name and Playbook fields,
  3.  Run a test; the result will be the list of values retrieved from MISP and imported into SGBox.
  4. Click the Create button to save the list in SGBox.
    Knowledge Base

Once all the steps are completed, you will be able to see the imported feeds directly from the SGBox list.
Knowledge Base

  • MISP feeds imported into SGBox can be used in the Log Management module; specifically within Event Querie, for example, to create event queries for filtering and analysis.
  • MISP feeds can also be used in the Log Correlation Engine via Threat Intelligence Queries and Rules to create correlation rules that leverage these feeds

Perform cross-analyses between SGBox events and MISP data

In the SGBox Dashboard, you can use the MISP Check IP on MISP playbook to check if the IP values reported in an event are also present in the MISP database.

How to perform analysis
When connected to a dashboard containing IP values (IpAddress, SourceIP, DestinationIP, etc):

  1. Select the IP you want to analyze with your mouse cursor and right-click.
  2. This should show the option Send this value to a playbook. A window will open where you can select the MISP Check IP on MISP playbook.
  3. Click the RUN button to execute the call to MISP and verify if the selected IP is present in the MISP database.

The result will be displayed directly within the analysis window.

]]> 6.3.1 https://www.sgbox.eu/en/knowledge-base/releases-en/6-x/6-3/6-3-1/ Thu, 30 Apr 2026 08:40:43 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=38076

6.3.1

A new version of SGBox that improve a lot of backend features and performance has been released

  • LM - new keywords can be used to query events, to join all parameters of the same category into one: $SOURCEADDRESS, $DESTINATIONADDRESS, $SOURCEUSER, $DESTINATIONUSER
  • SCM - from a events widget of a dashboard, multiple parameter values can be send to a playbook
  • Multitenant - email alerts for remote probes availability, disk, memory, files in queue
  • Support for new apps to receive logs from Crowdstrike, Bitdefender, Duo, to be scheduled on a remote probe
  • Varius Fixes

TO UPDATE SGBOX ->
SCM > Applications > SGBox Updates
Knowledge Base
]]> Syslog configuration on DarkTrace https://www.sgbox.eu/en/knowledge-base/client-configuration-en/network-appliance/syslog-configuration-on-darktrace/ Fri, 17 Apr 2026 14:31:17 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=37675

Syslog congiguration on Darktrace

Log in to your DarkTrace Management Console.

  • Go to the System configuration > Modules.
  • Look for “Workflow Integrations” > search: Syslog.
Knowledge Base

Enter the details of your SGBox and how to send logs:

  • IP Address/Hostname: The address of SGBox
  • Port: 514 (standard) 
  • Protocol: Choose UDP protocol.
  • Format: CEF
Knowledge Base
]]> Syslog configuration on Deceptive Bytes https://www.sgbox.eu/en/knowledge-base/client-configuration-en/network-appliance/syslog-configuration-on-deceptive-bytes/ Wed, 01 Apr 2026 09:28:56 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=37321

Syslog congiguration on Deceptive Bytes

The procedure is carried out primarily within the platform’s Management Console.

Log in to your Deceptive Bytes Management Console.

  • Go to the Settings (or Configuration) section from the main menu.
  • Look for the Integrations or External Logging / Syslog option.

Enter the details of your SGBox:

  • IP Address/Hostname: The address of SGBox
  • Port: 514 (standard) 
  • Protocol: Choose between UDP (faster) or TCP (more reliable).
  • Format: If available, select CEF (Common Event Format) 
]]> Syslog configuration on Sangfor HCI / VDI https://www.sgbox.eu/en/knowledge-base/client-configuration-en/network-appliance/syslog-configuration-on-sangfor-hci-vdi/ Wed, 25 Mar 2026 17:20:44 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=37228

Syslog configuration on Sangfor HCI / VDI

This article explain how to forward logs from Sangfor HCI / VDI to SGBox: 
Go to System  > Log or Monitor > Log Management

Knowledge Base
]]> SGBox Clipboard https://www.sgbox.eu/en/knowledge-base/active-directory-engine-en/sgbox-clipboard/ Fri, 13 Mar 2026 08:59:12 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=37027
Click to open the SGBox Clipboard user guide

]]>