Client Configuration – SGBox Next Generation SIEM & SOAR

Configure login auditing MSSQL (SQL Server Management Studio)

SGBox — Fri, 01 Aug 2025 12:47:33 +0000

Configure login auditing MSSQL (SQL Server Management Studio)

This article describes how to configure login auditing in SQL Server on Windows, to monitor SQL Server Database Engine login activity. Login auditing can be configured to write to the error log on the following events.

Failed logins
Successful logins
Both failed and successful logins

Use SQL Server Management Studio to Configure login auditing

In SQL Server Management Studio, connect to an instance of the SQL Server Database Engine with Object Explorer.
In Object Explorer, right-click the server name, and then select Properties.
On the Security page, under Login auditing, select the desired option and close the Server Properties page.
- Note You must restart SQL Server before this option will take effect.
In Object Explorer, right-click the server name, and then select Restart.

Microsoft 365 (Office 365) – SGBox SIEM Integration Guide

SGBox — Tue, 29 Jul 2025 07:23:58 +0000

Microsoft 365 (Office 365) – SGBox SIEM Integration Guide

This Guide explains how to configure SGBox to make API calls to Microsoft 365 (previously called Office 365) with the purpose of collecting events in SGBox SIEM related to activities managed by Microsoft 365.

Requirements

To complete the tasks outlined in this guide, you’ll need the following:

Generate SGBox App in Microsoft 365.
Be sure that the SGBox Appliance can communicate with these addresses:
- https://login.windows.net/
- https://manage.office.com/api/v1.0/
Add a custom Host in SGBox for Microsoft 365.
Install and configure the Microsoft 365 API package.
Install and configure the Microsoft 365 package.

Generate SGBox App in Microsoft 365

In order to allow SGBox to connect via API to your Azure tenant and retrieve the Audit logs you need to create a new app for SGBox and assign the correct privileges.

For instructions on how to view logs in your Azure tenant and how to configure an external application to retrieve these logs using API calls, please open a ticket with SGBox support via the ticketing portal, with the ticket subject Microsoft 365 (Office 365) Application Configuration.

Add custom Host in SGBox for Microsoft 365

You must define a Host in SGBox to make sure that the logs collected from Microsoft 365 will be written into the SIEM, to achieve or analyze them.

Go to SCM > Network > Host list.
Click the button ➕ New Host.
Insert “Microsoft365” or “Office365” in the Host field and Save the new host

Install and configure the Microsoft 365 API package

It is also necessary to install a Microsoft 365 API package in SGBox to deploy on the SIEM configuration used to obtain or analyze Microsoft 365 events.

Go to SCM > Applications > Packages and download the package named Microsoft 365 (Office 365) API by click the button Install.
Click Install to finish the installation.

Configure SGBox Playbooks for Microsoft 365

Go to SCM > PB > Playbook and edit [OFFICE 365] Settings and starter.
Edit node called O365 credentials and insert tenant, client_id, client_secret obtained during the step Generate SGBox App in Microsoft 365, save the changes on node by click Save button.
On every PB Subflow
- [OFFICE 365] AzureActiveDirectory Audit
- [OFFICE 365] DLP
- [OFFICE 365] Exchange Audit
- [OFFICE 365] General Audit
- [OFFICE 365] SharePoint Audit
- [OFFICE 365] Windows Defender
- You must edit a node called Write log page and in the field choose from list choose “Microsoft365” previously defined in the Host list, save the changes on the node by clicking the Save button.
Schedule the [OFFICE 365] Settings and starter PB by clicking the button with the clock icon 🕓 , set an appropriate time interval (not less than 5 minutes), save the change, to run Playbook, click the Execute button and choose Background run.
If the API connection between Microsoft 365 and SGBox is working, a Green 🟢 icon will appear on the Status column and in the Host list for Microsoft365 host on the Last Log column will start showing the timestamp of the last data received from Microsoft 365 in SGBox.
Notes, to check the availability of data collected by SGBox you can also refer to the Historical search page.In case the execution of PB gives an error, a Red icon 🔴 will be shown, In this case the advice is to better check the configuration part to make sure that there are no errors in the input of the parameters needed for the API connection, or, In case of further problems you can open a ticket to SGBox Support via ticketing portal

Analyzing collected data

Go to SCM > Applications > Packages and download the package named Microsoft 365 (Office 365) by click the button Install
During the Installation of the package in the field Select the hosts the package will be associated with choose “Microsoft365” previously defined in the Host list.
Click Install to finish the installation
Go to LM > Configuration > Mapping > edit mapping called [O365] and in the field choose from list choose “Microsoft365” previously defined in the Host list, save the changes by click OK button, Confirm.

In this way, after few minutes SGBox will begin to analyze the events it has collected, which will be searchable from the SGBox analysis pages (Class/Pattern analysis, Custom Report List, Dashboard).

Cato Network – SGBox SIEM Integration Guide

SGBox — Mon, 07 Apr 2025 08:53:36 +0000

Cato Network – SGBox SIEM Integration Guide

This Guide explains how to configure SGBox to make API calls to Cato Network with the purpose of collecting events in SGBox SIEM related to Network and IDS/IPS activities managed by CATO.

To complete the tasks outlined in this guide, you’ll need the following:

Create an API key and obtain your Account ID from Cato Networks.
Configure SGBox Playbooks for Cato Network

Overview of Cato API Keys

The API Keys page lets you generate API keys in the Cato Management Application that are used to authenticate to the Cato API server. Enter the API key for an API client or for scripts to run API calls for authentication to Cato.

Cato supports two types of API calls:

View permissions – Perform read-only API calls to retrieve data for your account
Edit permissions – Perform write API calls to make changes to your account

Note: SGBox uses eventsFeed API to ingest event data, so it is required to make sure to select Enable integration with Cato events in the Resources > Event Integrations page.

Generating an API Key

Navigate to Administration > API Management.
Click the button for a New key.
In the dialog that displays, enter an identifying Key Name.

In the API Permission for this key, select option View.
In the Allow access from IPs, select Specific IP list, and define the IP addresses that are allowed to use this API key, including the SGBox IP Address.
- The default setting is to allow this API key for Any IP address.
(Optional) Select a date that the API key Expires at.
Click Apply.
When the key is created, a dialog with the value displays. Click the Copy button to copy your API key and ensure you save it to a secure location.
- Once you close this window, you can’t access the value for the API key.
Click OK to close the API key dialog.
When the list of keys re-displays, locate the toggle for Use Cato-Events API is Enabled.

Obtain your Account ID from Cato Networks

Account ID Location:

The Account ID is found within the Cato Management Application. Specifically by navigating to Account > Account Info.
Also it is shown within the URL of the Cato account when logged in.
- For example, if your Account ID is “1234” then the URL should look like: https://sgbox.catonetworks.com/#!/1234/topology

Configure SGBox Playbooks for Cato Networks

Add Custom Host

You must define a Host in SGBox to make sure that the logs collected from CATO will be written into the SIEM, to achieve or analyze them.

Go to SCM > Network > Host list
Click the button ➕ New Host
Insert “CatoNetwork” in the Host field and Save the new host

Cato Network Package Installation

It is also necessary to install a Cato network package in SGBox to deploy on the SIEM configuration used to obtain or analyze CATO events.

Go to SCM > Applications > Packages and download the package named “Cato Network” by click the button Install
During the Installation of the package in the field Select the hosts the package will be associated with choose “CatoNetwork” previously defined in the Host list.

Click Install to finish the installation

Cato Network PB Configurations

Go to SCM > PB > Playbook and edit [Cato] Network Get RawLogs
Edit node called [SET] Credentials Parameters and insert API key and Account ID obtained from CATO, save the changes on node by click Save button.

Edit node called [WRITE] RawLog and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes on node by click Save button.

To save all changes and exit the [Cato] Network Get RawLogs playbook, click the Save button.

Schedule the [Cato] Network Get RawLogs PB by clicking the button with the clock icon 🕓 , set an appropriate time interval (not less than 5 minutes), save the change, to run Playbook, click the Execute button and choose Background run.

If the API connection between Cato Network and SGBox is working, a Green 🟢 icon will appear on the Status column and in the Host list for CatoNetwork hosts on the Last Log column will start showing the timestamp of the last data received from CATO in SGBox.

Notes, to check the availability of data collected by SGBox you can also refer to the Historical search page: https://www.sgbox.eu/en/knowledge-base/historical-search/

In case the execution of PB gives an error, a Red icon 🔴 will be shown, In this case the advice is to better check the configuration part to make sure that there are no errors in the input of the parameters needed for the API connection, or, In case of further problems you can open a ticket to SGBox Support via ticketing portal: https://sgboxportal.sgbox.it/portal/en/signin

Analyzing collected data

Go to LM > Configuration > Mapping > edit mapping called [Cato] Network and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes by click OK button, Confirm.

In this way, SGBox will begin to analyze the events it has collected, which will be searchable from the SGBox analysis pages (Class/Pattern analysis, Custom Report List, Dashboard).

SIEM solutions integration with Apex Central

SGBox — Mon, 10 Mar 2025 15:26:52 +0000

Syslog Configuration on Apex

Configure Syslog Settings For Apex Central On-premise

Configure Syslog Settings Apex SaaS

Configure Syslog Settings For Apex Central On-premise

In order to send logs to SGBox you need to modify first you syslog settings:

Go to Detections > Notifications > Notification Method Settings. The Notification Method Settings screen will appear.
In the Syslog Settings section, specify the following:
- Server IP address: Type the IPv6 or IPv4 address of the syslog server
- Port: The port number of the syslog server
- Facility: Select the facility code
Click Save

Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.

Enable Syslog now Syslog Forwarding:

NOTE:

Apex Central starts forwarding logs to the configured syslog server.
To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

Configure Syslog Settings Apex SaaS

Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.

Log in to Apex Central console using an Administrator account.
Go to Administration → Settings → Syslog Settings. The Syslog Settings screen appears.
Select the Enable syslog forwarding check box.
Configure the following settings for the server that receives the forwarded syslogs:
- Server address: FQDN or IP address of the receiving Syslog or SIEM server.
- Port: Syslog server port number. For UDP, the IANA standard port number is 514. For TLS, it’s usually port 6514.
- Protocol: Select TCP, UDP, or SSL/TLS as the method of communication with the syslog server
- NOTE: For best security practice, upload CA certificate that issued receiver’s SSL certificate to enable SSL certificate validation. If the receiver SSL certificate is a self-sign certificate, it must contains Subject and Subject Alternative Name, the CN Name and DNS Name must contain the Receiver host FQDN or IP address.Apex Central only supports CA certificates in X.509 format with .DER or .PEM encoding
Select the log Format:
- CEF: Uses the standard Common Event Format (CEF) for log messages
Configure the Frequency for when Apex Central forwards the logs.
Select the log type(s) to forward:
- Select a log category from the Log type dropdown list:
  - Security log
  - Product information
- Select the check box for the log(s) you want to forward. Apex Central displays the total number of selected log types next to the Log type dropdown list.
- (Optional) Select another log category from Log type dropdown list to select additional logs types to forward.
Click Test Connection to test the server connection. The syslog server connection status will appear at the top of the screen.
Click Save.

NOTE:

Apex Central starts forwarding logs to the configured syslog server.
To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

 If SSL/TLS is selected, by default Apex Central accepts receiver's SSL certificate without validation

For best security practice, upload CA certificate that issued receiver’s SSL certificate to enable SSL certificate validation.
If the receiver SSL certificate is a self-sign certificate, it must contains Subject and Subject Alternative Name, the CN Name and DNS Name must contain the Receiver host FQDN or IP address.
Apex Central only supports CA certificates in X.509 format with .DER or .PEM encoding

For more information

Syslog configuration on Sangfor

SGBox — Mon, 10 Mar 2025 15:04:43 +0000

Syslog configuration on Sangfor

Cyber Command

Endpoint Secure

Cyber Command

Endpoint Secure

Syslog configuration on ESET

SGBox — Mon, 24 Feb 2025 09:12:05 +0000

Syslog configuration on ESET

Following the steps to send logs from ESET (on-premise and Cloud) console to SGBox.

Syslog server Configuration On Premise

Syslog server Configuration On Cloud

Syslog server Configuration On Premise

Syslog server Configuration On Cloud

For more information visit these links:

Syslog configuration on Cortex

SGBox — Fri, 21 Feb 2025 15:11:36 +0000

Syslog configuration on Cortex XDR

Select Settings → Configurations → Integrations → External Applications.
In Syslog Servers, click + New Server.
Define the following parameters:
- Name: for the server profile
- Destination: IP address or fully qualified domain name (FQDN) of SGBox.
- port: number on which to send syslog messages.
- facility: Select one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424
- Protocol: method of communication with the syslog receiver.
  - TCP: No validation is made on the connection with the syslog receiver. However, if an error occurred with the domain used to make the connection, the Test connection will fail.
  - UDP: No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.
  - TCP + SSL: Cortex XDR validates the syslog receiver certificate and uses the certificate signature and public key to encrypt the data sent over the connection.
- Certificate: The communication between Cortex XDR and the syslog destination can use TLS. In this case, upon connection, Cortex XDR validates that the syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the Root and Intermediate certificate if you receive a certificate error when using a public certificate. If your syslog receiver uses a self-signed CA, upload your self-signed syslog receiver CA. If you only use a trusted root CA leave the certificate field empty.
  - Note: Up to TLS 1.3 is supported. – Make sure the self-signed CA includes your public key.
  - You can ignore certificate errors. For security reasons, this is not recommended. If you choose this option, logs will be forwarded even if the certificate contains errors.
Test the parameters to ensure a valid connection, and click Create when ready

Syslog configuration on Cisco WLC

SGBox — Thu, 20 Feb 2025 09:18:20 +0000

Syslog configuration on WLC ( GUI )

Go to Management > Logs > Config. The Syslog Configuration (GUI) age appears:
Enter the Syslog Server IP Address and click Add. You can add up to three syslog servers to the controller. The list of syslog servers that have already been added to the controller appears under this text box. If you want to remove a syslog server from the controller, click Remove to the right of the desired server.
To set the Syslog Level (severity) for filtering syslog messages to the syslog servers, choose one of the next options from the Syslog Level drop-down list:
- Emergencies= Severity level 0
- Alerts= Severity level 1 (default value)
- Critical= Severity level 2
- Errors= Severity level 3
- Warnings= Severity level 4
- Notifications= Severity level 5
- Informational= Severity level 6
- Debugging= Severity level 7
  - NOTE: If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Notifications (severity level 5), only those messages whose severity is betwen 0 and 5 are sent to the syslog servers.
  - NOTE: If you have enabled logging of Debugging messages to the logging buffer, some messages from application debug could be listed in message log with severity that is more than the level set. For example, if you execute the debug client mac-addr command, the client event log could be listed in message log even though the message severity level is set to Errors.
To set the Syslog Facility for outgoing syslog messages to the syslog servers, choose one of these options from the Syslog Facility drop-down list:
- Kernel= Facility level 0
- User Process= Facility level 1
- Mail= Facility level 2
- System Daemons= Facility level 3
- Authorization= Facility level 4
- Syslog = Facility level 5 (default value)
- Line Printer= Facility level 6
- USENET= Facility level 7
- Unix-to-Unix Copy= Facility level 8
- Cron= Facility level 9
- FTP Daemon= Facility level 11
- System Use 1= Facility level 12
- System Use 2= Facility level 13
- System Use 3= Facility level 14
- System Use 4= Facility level 15
- Local Use 0= Facility level 16
- Local Use 2= Facility level 17
- Local Use 3= Facility level 18
- Local Use 4= Facility level 19
- Local Use 5= Facility level 20
- Local Use 5= Facility level 21
- Local Use 5= Facility level 22
- Local Use 5 = Facility level 23
  - NOTE: For example, selecting Kernel makes only kernel related messages to be sent. Authorization, makes only AAA related messages to be sent, and so on.
Click Apply.

Configuring Syslog on WLC ( CLI )

Enable system logging and set the IP address of the syslog server to which to send the syslog messages by entering this command:
- (Cisco Controller) >config logging syslog host server_IP_address
To remove a syslog server from the controller by entering this command:
- (Cisco Controller) >config logging syslog host server_IP_address delete
Set the severity level for filtering syslog messages to the syslog server by entering this command:
- (Cisco Controller) >config logging syslog level severity_level

Syslog configuration on QNAP

SGBox — Wed, 12 Feb 2025 13:38:08 +0000

Syslog configuration on QNAP

Here the steps to send logs to SGBox.

Log in to QuLog Center.
Go to QuLog Service > Log Sender > Send to Syslog Server.
Enable Send logs to remote syslog server.
Click on Add destinatinatio IP address
- Enter SGBox IP on Destination IP
- Enter 514 as Port
- Select UDP as Transfer protocol
- Destination IPPut Event & Access Log on Log type
- Format ( you can click send a test message to test the connection

Click on apply

Syslog configuration on Ubiquiti

SGBox — Tue, 11 Feb 2025 15:28:20 +0000

Syslog configuration on Ubiquiti

These instructions assume:

The date, time and time zone are correctly set on the device.
You have administration access to the UniFi controller web interface.

Configure syslog:

Log in to the UniFi Controller’s web interface.
Click Settings (the gear icon) in the bottom left corner.
Under the Site heading, navigate to the Remote Logging section.
Select the checkbox beside Enable remote syslog server. Leave the Enable debug logging box unchecked.
Enter the SGBox IP address.
Enter 514 in the Port field.

Click Apply changes.

For more information visit

Client Configuration – SGBox Next Generation SIEM & SOAR

Configure login auditing MSSQL (SQL Server Management Studio)

Configure login auditing MSSQL (SQL Server Management Studio)​

Use SQL Server Management Studio to Configure login auditing

Microsoft 365 (Office 365) – SGBox SIEM Integration Guide

Microsoft 365 (Office 365) – SGBox SIEM Integration Guide​

Requirements

Generate SGBox App in Microsoft 365

Add custom Host in SGBox for Microsoft 365

Install and configure the Microsoft 365 API package

Configure SGBox Playbooks for Microsoft 365

Analyzing collected data

Cato Network – SGBox SIEM Integration Guide

Cato Network – SGBox SIEM Integration Guide

Overview of Cato API Keys

Generating an API Key

Obtain your Account ID from Cato Networks

Account ID Location:

Configure SGBox Playbooks for Cato Networks

Add Custom Host

Cato Network Package Installation

Cato Network PB Configurations

Analyzing collected data

SIEM solutions integration with Apex Central

Syslog Configuration on Apex

Syslog configuration on Sangfor

Syslog configuration on Sangfor

Syslog configuration on ESET

Syslog configuration on ESET

Following the steps to send logs from ESET (on-premise and Cloud) console to SGBox.

Syslog configuration on Cortex

Syslog configuration on Cortex XDR

Syslog configuration on Cisco WLC

Syslog configuration on WLC ( GUI )

Configuring Syslog on WLC ( CLI )

Syslog configuration on QNAP

Syslog configuration on QNAP

Syslog configuration on Ubiquiti

Syslog configuration on Ubiquiti

These instructions assume:

Configure syslog:

Configure login auditing MSSQL (SQL Server Management Studio)

Microsoft 365 (Office 365) – SGBox SIEM Integration Guide