LM – Log Management – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Thu, 03 Jul 2025 14:06:36 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.2 https://www.sgbox.eu/wp-content/uploads/2025/02/cropped-SGBox-symbol-png-32x32.webp LM – Log Management – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 Custom Report https://www.sgbox.eu/en/knowledge-base/custom-report/ Fri, 18 Apr 2025 14:16:16 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=30846

Custom reports are used to filter search results and extract information from different classes.
To create a Custom report go to LM > Custom Report, this page open the list of existing reports but you can also create a new one.

Requirements:

  • SGBox version 6.0.0
Main Page

The main page displays information about the Custom Reports, including their owners and associated tags. 

  1. Action box
    • Select All: Selects all the custom reports in the table.Multiple Editing: Opens a dialog that allows the multiple editing of selected custom reports.Remove: Opens a dialog that allows the removal of custom reports.
  2. Filter box:
    • Input Field: Used to filter the entire table. The filter value is compared with all the cells.Pin Icon: Used to pin the filter after a hypothetical reload.
  3. Table Actions box:
    • Plus Icon: Opens a new page for adding a custom report..CSV: Downloads the table in CSV format..XLS: Downloads the table in XLS format.Edit Icon: Opens a new page for editing a custom report.
  4. Edit icon:
    • It opens a new page that allow the Custom Report Editin
Custom Report

Create New Custom Report 

Click on the ” + “button to create a new Custom Report. Once created you can set different options:

  • Time Interval: filters the selected Time Range. (SGBox has predefined intervals such as working hours, Working hours exluding launch time, etc… ) The icon next to the input redirects the user to the Intervals page.
    Actions box:
  • Export CVS: SGBox performs the research and saves the results in a CSV file.Save
  • Translate Parameters: this switch must be turned on if you want to display your parameter values as aliases.
  • Parameters Configuration: The parameters configuration offers different searching modes for filtering results and providing them to the RS Module. Each parameter can be selected or deselected to be shown or hidden in the results
  • Filter Type: Although the default value for the filter type is regex, the search value could be useful when you need to filter the results with a path. Case sensitivity applies to both types.
    • When applying a filter in conjunctive mode (AND), only results that satisfy all the filters are returned.
    • Conversely, when using a filter in disjunctive mode (OR), results that satisfy at least one of the filters are returned.

Results appear after clicking on the Search button and it’s possible to refine the research by clicking on the Pin icon to show the configuration. The Custom Report page provides two different views and you can alternate between them using the icons (1).

Custom Report
Custom Report

You can share custom report with more users. Each user owns the custom report, however, you can share it with other users so that by logging in they can view it 

]]>
Historical Search https://www.sgbox.eu/en/knowledge-base/historical-search/ Wed, 12 Mar 2025 14:01:56 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=30223

Historical Search

This section is used to analyze logs coming from each data source. You can see them in:  LM > Analysis > Historical Search

Logs are stored in a database, when you need to search logs  and you can use operator like “AND”, “OR” and “NOT” to filter the search results.
Y
ou can choose the host/asset from which you want to extract logs and set a time range. When “case sensitive” is active a check is made in the search bar of the characters, upper and lower case, that are entered.

 

Special characters (wildcards) can be used in requests like in the SQL language.
In particular, the character ‘%’ represents an arbitrary number of characters while the character ‘_’ represents a single character. For this reason the string “Beatrice” can be represented as “Bea%c_”

]]>
Class/Pattern Analysis https://www.sgbox.eu/en/knowledge-base/class-pattern-analysis/ Mon, 13 May 2024 07:56:39 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=22218

The Class/Pattern Analysis panel allows you to perform a specific analysis on classes and hosts.

Main Page
Class/Pattern Analysis

 

This page serves the purpose of displaying in various significant ways. Firstly, at the top of the page, you can select a Time interval to load hosts and classes based on a specific time period. You can conduct your searches using the Classes section and the Host section to filter the different events.

First Analysis

Class/Pattern Analysis

 

First, you have to select one or more classes/hosts, in this case I chose two classes. The system will then load the Event Section, and the Hosts Section will be updated, along with the graph.
The Event Section displays all the involved patterns and hosts (impacted hosts). At this point, the user can specify a time interval by zooming in on the graph. To complete the configuration the user needs to select up to five patterns for analysis.

 

The following image represents a complete configuration:

Class/Pattern Analysis

 

I’ve chosen a time period using the graph (1), data has been loaded. After selecting the two patterns (2), The SGBox Live Button has been enabled. Everything is ready to start an SGBox Live analysis.

SGBox Live

Class/Pattern Analysis

 

The Time Interval (1) and the Graph have been updated based on previously selected time period. The Show Detail Button (2) replaces the Aggregated Data view with the Details view to provide more in-depth information about the events.

 

The icon (3) adjusts the height and overlays the graph.

The Aggregated Data view consist of parameters tables ordered by count. Parameters can be used to further data filtering, and the graph provides information about match per minute. The remains dynamic, allowing the user to resize the time interval as often as desidered.

Class/Pattern Analysis

As you can see, after selecting parameters (1) and choosing the time period (2), data has been reloaded. The Aggregated data view now displays the matches that occurred during that time. If the user wants more information about specific value parameters, they can right-click and perform various actions.

Class/Pattern Analysis

Search this value as…

Class/Pattern Analysis

 

SEARCH THIS VALUE AS… After selecting the desidered parameters, SGBox will generate a dashboard that searches for the value taken into account for all the selected patterns. The user will receive a view similar to this.

Class/Pattern Analysis

WHOIS

Class/Pattern Analysis

 

WHOIS is a query and response protocol that is used for querying databases that store an internet resource’s registered users or assignees. These resources include domain names, IP Address blocks and autonomous system.

Map

Class/Pattern Analysis

 

MAP locates one or more hosts on a world map.

Parameter Value on Google

SGBox redirects you to a Google page where a query has been performed using the specified parameter value.

Export Parameter Table

SGBox saves the table as CSV file containing parameter values, their translations and their matches.

Details view

Class/Pattern Analysis

 

The Details view offers a comprehensive overview of the logs. Logs can be displayed together or split by patterns. Patters Section is used to filter the information. In this view, you can also zoom in on the graph to inspect a particular time period.

]]>
The Events Queries https://www.sgbox.eu/en/knowledge-base/the-events-queries/ Wed, 13 Mar 2024 14:34:16 +0000 https://www.sgbox.it/sgbox/EN/?post_type=epkb_post_type_1&p=8885

The Event Query is a feature introduced from the version 5 that permit to perform SQL style queries from events or logs

Query Purpose

The utilization of queries offers numerous benefits, primarily due to their exceptional speed as a result of the direct access they have to the database where the events are stored.

The primary reasons for utilizing these queries include:

  • To replace a LCE Rule
  • Generate a statistic (temporary or permanent)
  • Generate an event based on a specific event threshold
  • Generate an e-mail alert or setup other action triggered by the query

Query Basics

You can follow this KB in order to achieve the basic first-step syntax and compose the very first query: SGBox – Events Queries Basics

Also more details about query directly from logs: SGBox – Events Queries from Raw Logs

Query Options

  • 🕑 Interval: monitor window where the query looking for (5 minutes in the example). You can find this option in the scheduling options
    The Events Queries
  • 📅 Active Scheduling: Query scheduled will run every minute
    The Events Queries

A timeline summary of the two options combined:
The Events Queries

Join

If you need to correlate two different events, and use different WHERE condition in the two query, you can later combine it using the “Join Query” panel.
Here you can define the two query

More details and example you can find it in this KB article:

Advanced Syntax

In a query you can use various functions, as decribed in the list below

Column alias

Every parameter, represented as a column, can be aliased with a name.

The general syntax is:
column AS aliasname
where column can be $TIMESTAMP, $HOST, $EVENT, or any $PARAM:*

The use of the alias is a best practice that permit also to pre-calculate the value in a column, to use it later in the WHERE or FINALLY statement.

Note: some column alias are forbidden to use: ts, Pattern, pid, hid

Functions and Statements

FunctionPositionExampleDefinition
<column> as columnnamealiasSELECT$PARAM:[TargetUserName] as Userdefine a column name (the alias can be referenced later also in WHERE and FINALLY part)
count()SELECT, WHERE, FINALLYCount the rows by type (must be used in addition with GROUP BY)
min(column), max(column)SELECT, WHERE, FINALLYWhen other columns grouped, select the first or last value of the column set
extract(column, ‘regex (valuetoextract) secondpart’)SELECT, WHERE, FINALLYextract($LINE, ‘TargetUserName=”(.*?)” TargetDomainName=’)Extract part of the value from a column (only first occurrence)
extractAll(column, ‘regex(value1)other(value2)’)SELECT, WHERE, FINALLYextract multiple value by regex, and output them as Array (not string)
extract(column, ‘(?i)regex (valuetoextract) secondpart’)SELECT, WHERE, FINALLYExtract value with case insentive modificator (?i) at beginning of the regex
toString(column or expression)SELECT, WHERE, FINALLYconvert a column value to a String
uniqExact(column)SELECT, WHERE, FINALLYcount specific column
arrayStringConcat(extractAll(column, ‘regex (val1) continue (val2)’), ‘separator_char’)SELECTCombination of multiextract of values and join to a single string, separated by specific char or string
toStartOfHour(timestamp)SELECT, WHERE, FINALLYRound Timestamp to Hour. Similar to toStartOfDay, toStartOfMinute, toStartOfMonth, toStartOfYear
runningDifference(timestamp) as DifferenceSELECTCalculate difference between current and preceeding row (first row always 0)
COLUMNS(‘string or regex’)WHERE, FINALLYSelect any column match the tring or regex
GROUP BY column1, column2, columnalias1FINALLYGroup by similar value in the columns specified. If used all the columns must be referenced in the GROUP BY clause or use in the SELECT an aggregte function (like min(), max(), sum(), avg(), etc.)
HAVING column …FINALLYSimilar to the filters in the where statement, can be used to filter certain values after the use of the GROUP BY keyword
column IN (‘val1’, ‘val2’)WHEREUser IN (‘Maya’,’Tom.admin’,’Kevin’)Filter by one or more value (specific) inside a column
column LIKE ‘%Value%’WHEREUser LIKE ‘%user%’Filter by value contained in column
column LIKE ‘%Value’WHEREUser LIKE ‘admin%’Filter by value at the end of the column
column LIKE ‘Value%’WHEREUser LIKE ‘%admin’Filter by value at the start of the column
NOTWHEREReverse a Filter
match(mycolumn, arrayStringConcat( (SELECT groupArray(value) FROM $LIST:[regexlist]) , '\|' ) )WHEREFilter mycolumn against custom pre-built regex list
column IN (SELECT value FROM $LIST:listname)WHERESyntax to use to filter values by a list
match(column, ‘myfilterregex’)SELECT, WHERE, FINALLYmatch(User, ‘admin.*|user.*’)Verify if a regex expression match a column (often used in WHERE)
multiMatchAny(column, [‘regex1’, ‘regex2’])WHEREmultiMatchAny(User, [‘admin.*’, ‘Kevin’])Similar to match, but can verify multiple different regex. Similar but simpler syntax can be obtained with: col1 LIKE ” OR col1 LIKE ”
LIMIT numberFINALLYLimit set of result for number specified
LIMIT number BY columnFINALLYLimit set of result for each value in column

Complex Example
SELECT

count() as cnt,

max($TIMESTAMP) as lastlog,
sum($PARAM:[packetsize]) as totalsize,
extract($PARAM:[longmessage], 'beforetext: (\w+ mystringtocatch) ') as extractedMsg

FROM ()

WHERE

(

extractedMsg LIKE '%anytext%'

OR match($PARAM:[longmessage], 'anyotherstring')

OR extractedMsg IN ('fixedvalue1', 'fixedstring2')

)

AND NOT totalsize > 500

FINALLY

GROUP BY totalsize, extractedMsg

HAVING count() > 10

ORDER BY cnt DESC, lastlog

Troubleshooting

Convert Event Queries as Report

There are two main way to generate (or schedule) a Report starting by an Event Queries

Using dashboard

The steps to follow:

  1. Generate query (pay attention to order the result correctly with the ORDER BY directive)
  2. Associate the event query to a new specific dashboard
  3. Schedule the newly created dashboard as Report

Note: the report will generate only a pdf type attachment. To generate a tabular (csv) report you must use the second solution

By creating a new event

  1. Generate query and output event as action (define event name and class)
  2. Schedule the report starting by the newly class created

Event Queries to generate Widget in Dashboard

Some Event Queries can be used as base to fill up widget on dashboard

On dashboard, in the Add Widget Menu
The Events Queries
Next in the new window you can manage the source Event Query and the visualization tipology
The Events Queries

To build up the correct query syntax to match the correct type, please check the next chapter

Table

You can build any type of query to show up as table, only pay attention to the size of the single columns, as in the widget may can be limited or truncated.

Example

The Events Queries

Pie, Cloud

Any number of columns, but the last column must be numeric (used to build up the slice of the pie).

Example

The Events Queries
The Events Queries
SELECT
    $EVENT as evt, count() as cnt
FROM 4 events on all hosts
FINALLY
    GROUP BY evt

or

SELECT
    count() as Count, $EVENT as evt, count() as cnt
FROM 4 events on all hosts
FINALLY
    GROUP BY evt

Column

First column is the value in X axis.
Other columns must be numeric value, as there are the numeric series.

Example

The Events Queries
SELECT
    $EVENT as evt, count() as cnt
FROM 4 events on all hosts
FINALLY
    GROUP BY evt

or

SELECT
    $EVENT as evt, count() as cnt, count()+100 as cnt100
FROM 4 events on all hosts
FINALLY
    GROUP BY evt

Map

First column must be an IP address value.
Second must be numeric (typically count).

Example

The Events Queries
SELECT
    $PARAM:[SourceIP] as SourceIP, count() as cnt
FROM 4 events on all hosts
FINALLY
    GROUP BY SourceIP

Timeline

First column must be a Timestamp value (datetime value).
Second is a string value used for the legend.
Last column must be a number (used for the point)

Example

The Events Queries
SELECT
    $TIMESTAMP as timestamp, $EVENT as evt, $PARAM:[HttpStatuscode]
FROM 4 events on all hosts

or

SELECT
    $TIMESTAMP as timestamp, $EVENT as Evt, $PARAM:[HTTPSize] as Size, toUInt8($PARAM:[HTTPSize])+100 as avgsize
FROM 4 events on all hosts

or

SELECT
    $TIMESTAMP as ts, $PARAM:[UserName] as User, count() as cnt
FROM 1 event on all hosts
FINALLY
    GROUP by ts,User

Text (Notes)

Fixed value in a row and a column.

Example

The Events Queries
The Events Queries
SELECT
    'test' as text
FROM all events on 127.0.0.1

or

SELECT
    count() as count
FROM 4 events on all hosts
]]>
Regex Pattern https://www.sgbox.eu/en/knowledge-base/regex-pattern/ Wed, 14 Feb 2024 16:12:27 +0000 https://www.sgbox.it/sgbox/EN/?post_type=epkb_post_type_1&p=8887

1 Definition

A regex is a string of text that lets you create patterns that help match, locate, and manage text.
Regex can be a powerful and very fast method to extract parameters inside a log line to generate special objects, named on SGBox “Events”, to full evaluate a log line message.

2 Regex generation

Concepts

Matching and Capture

When build a regex, two main actions are mainly possible:

  • Match: you can use word/number o special combination to include to match the line and go on evaluating it
    ex. This is my IP. Regex: This .*? my IP.
  • Capture: in addition to simple match a word or another part of the string, you can also extract some information, by wrapping it by round parenthesis “()”. In this case the engine will separate information inside the round parenthesis from other text. These pieces of text can be turned in “Parameters” inside the “Events” SGBox objects.

Regex engine is very flexible and permit more operations, but only these action can be sufficient to generate a valid SGBox pattern.

Best Practice

Some rules must be keep in mind to improve efficency and decrease possible abnormal behaviors

  • The text must be as specific as possible in the first part. This because when regex engine start to parse the log line, it stop at first non-match from the beginning.
  • The match must be less greedier possible.
    Eg. not .* but instead .*?

Pattern Match
.*? matching any character
\s+ Match any spaces
(\d+) Generic multiple numbers match and capture (Port, numerical id, numerical session id, numerical severity)
(\d{1,5}) Match and capture port number (1-65535)
(\w+) Match and capture any single word
([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}) Match and capture IP Address (not hostname)
([\d\.]+) Match and capture IP Address (not hostname)
([0-9a-fA-F:-]+) Match and capture any type of MacAddress
([0-9a-f:]+) Match and capture lowercase, : separated MacAddress
([0-9A-F:]+) Match and capture uppercase, : separated MacAddress
([0-9a-f-]+) Match and capture lowercase, - separated MacAddress
([0-9A-F-]+) Match and capture uppercase, - separated MacAddress
(.*?@.*?\..*?) Match and capture generic mail address
(?:alice|bob) Non-capturing OR match (at least one word must match)
(?:myparam)? Non-capturing optional match (match 0 or 1 time)
((\w+) .*?) Nested match and capture group. Capture first word and then the entire parameter

References

Global Summary Cheat Sheet

Character What does it do? Example Matches
^ Matches beginning of line ^abc abc, abcdef.., abc123
$ Matches end of line abc$ my:abc, 123abc, theabc
. Match any characters a.c abc, asg, a2c
| OR operator abc|xyz abc or xyz
(...) Capture anything matched (a)b(c) Captures ‘a’ and ‘c’
(?:...) Non-capturing group (a)b(?:c) Captures ‘a’ but only groups ‘c’
[...] Matches anything contained in brackets [abc] a,b, or c
[^...] Matches anything not contained in brackets [^abc] xyz, 123, 1de
[a-z] Matches any characters between ‘a’ and ‘z’ [b-z] bc, mind, xyz
{x} The exact ‘x’ amount of times to match (abc){2} abcabc
{x,} Match ‘x’ amount of times or more (abc){2,} abcabc, abcabcabc
{x,y} Match between ‘x’ and ‘y’ times. (a){2,4} aa, aaa, aaaaa
* Greedy match that matches everything in place of the * ab*c abc, abbcc, abcdc
+ Matches character before + one or more times a+c ac, aac, aaac,
? Matches the character before the ? zero or one times. Also, used as a non-greedy match ab?c ac, abc
\ Escape the character after the backslash or create an escape sequence. a\sc a c

Tools

Some tool can help you to create the right combination of regex

3 SGBox Pattern Creation and Add (Advanced)

Object definition

  • Parameter: a single extracted value that also permit correlation between different pattern/classes.
  • Pattern / Event Name: Name that identifies a specific event extracted from log.
  • Pattern / Event: An event/action/information extracted from 1 line of logs. In standard usage for every event correspond only 1 line of log.
  • Regex definition: the regex syntax that extract information from the log line that match.
  • Class: a container to group different Events.

Regex Pattern

Concepts

  • Parameter name: if possible, always assign a parameter name that is already present in the dropdown menu. For performance reason, avoid to create unnecessary parameter.
  • 💭 Capture always only the relevant information: try to convert log part as parameter only the information that you really need

Make a new pattern

To generate a new pattern you must go on LM -> Configuration -> Pattern and click on “New Pattern” button.

Now in the first part you can search the log you need to parse, by filter out the unnecessary logs and test your regex. In the right pane you can preview the captured group values that will be later transformed in parameters.

Here you must:

  1. Select the Hosts to retreive the logs.
  2. Select a compatible timerange to find the logs you need (try to reduce the timerange if the regex is correct but you cannot find anything, the search is limited to 100.000 lines due to performance limit).
  3. Enter the search or final regex
  4. Press “Search” to match the regex end extract the results
  5. In the right pane you can see the captured group match on the regex

Regex Pattern

Once you are sure that the correct logs is extracted, you can press the “Create” button and proceed to the Creation Window

Regex Pattern

Here you must:

  1. Check, fix or complete the regex
  2. Press the “Test” button to start the extract search for the example extracted log in the first box
  3. Once Parameters appear you must associate the Value column with a Parameter Name in the second column. Avoid to create new Parameter name unless absolutely essential (due to performance reason)
  4. Fullfill the Pattern Name and Description to be easily searchable in the pattern view
  5. Select “Create” to finalize the pattern creation
]]>
SGBox Agent https://www.sgbox.eu/en/knowledge-base/sgbox-agent/ Thu, 22 Jun 2023 14:31:33 +0000 https://www.sgbox.it/sgbox/EN/?post_type=epkb_post_type_1&p=8838

Installation and Configuration

Requirements

To execeute correctly the Agent, the following software is required:

  • .NET Framework 4.0
  • Internet Explorer dll framework
  • Outgoing open port 443

Antivirus Consideration

We reported that some antivirus can interfere with the normal operation of the Agent (We have especially reported many cases with Sophos). Please be sure to insert an exception

  • Sophos

Preliminary Information

  • Agent Buffer: in case of the sgbox is offline, the agent will act as Buffer to store the logs until connection with the appliance is restored. The buffer store depend on the free disk space remaining.
  • Port used: the port used to communicate is the 443.
  • Communication type: SGBox Agent will communicate trough the Internet Explorer DCOM API.

Download

To install the agent you must to download the agent from the dedicated download section on SGBox Portal

Note, to download SGAgent, it is required to login or sign up on our portal and go to the Download SGBox Software section.

Installation Configuration

Extract the downloaded archive and run the setup

SGBox Agent

Click on “Next/Avanti” to continue with the installation

SGBox Agent

Browse the folder where you want install the agent

SGBox Agent

Edit the field “Server ip” with the IP or FQDN of your SGBox

SGBox Agent

You will be asked to confirm the data entered, click “Next/Avanti” to proceed with the installation.

SGBox Agent

Click on “Yes” to start with the installation

SGBox Agent

Click on “Close/Chiudi” to finish the installation

SGBox Agent

If the installation is correctly terminated a new service named “SGBoxTask Service” will be created

SGBox Agent

Log Retreive Configurations

Capture Logs from Standard Windows Event View

This section explain how to create a new configuration and command. A new command could be added in a same way to an existing configuration.

Log in to SGBox web interface. Go to LM > Configuration > Agents
SGBox Agent

Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing configuration if you want to edit it.
SGBox Agent

Enter o modify a name for the configuration and select GetEventLog to retrieve new information from Event Viewer.
SGBox Agent

Enter details of your command:

  • Name: a descriptive name of your command.
  • Description: brief description of your command ( not mandatory).
  • Frequency: how frequent these information will be sent to SGBox.
  • Log Name: the registry name. If it not present look the this section
  • Select o specify the Event ID. You can Select All events or -1 to tell the agent to send all events from the specified register.

SGBox Agent

You can add more commands to your configuration.
SGBox Agent

Drag & Drop your configuration to the target host and Save Changes.
SGBox Agent

Capture Logs from Operational (Application) Windows Event View

This section explain how to create a new configuration and command from a custom registry log. We’ll take the Terminal Service Registry as example. Here the details of the logs we want retrieve:
SGBox Agent

Se the previous section to specify a new command from a basic registry:
https://www.sgbox.it/sgbox/EN/knowledge-base/create-a-new-command/

Fist of all we need to find the exact name of the registry: Right click > Properties
SGBox Agent

SGBox Agent

A new command could be added in a same way to an existing configuration.

Log in to SGBox web interface. Go to LM > Configuration > Agents
SGBox Agent

Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing  configuration if you want to edit it.
SGBox Agent

Enter o modify a name for the configuration and select GetEventLog to retrieve new information from Event Viewer.

SGBox Agent

Enter details of your command:

  • Name: a descriptive name of your command.
  • Description: brief description of your command ( not mandatory).
  • Frequency: how frequent these information will be sent toSGBox.
  • Log Name: select ADD NEW
  • New Log Name: the registry name taken before.
  • Select o specify the Event ID. You can Select All events or -1 to tell the agent to send all events from the specified register.

SGBox Agent

You can add more commands to your configuration.
SGBox Agent

Drag & Drop your configuration to the target host and Save Changes.

Capture Logs from File/Folders (TailFolder method)

This section explain how to create a new configuration and the related command in order to retrieve logs from a specific folder.

Requirements

  • SGBox 5.0.2 or SGBox 4.2.7 is required.
  • At least SGAgent 3.2.7433.19116 is required .

Log in to SGBox web interface. Go to LM > Configuration > Agents
SGBox Agent

Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing  configuration if you want to edit it.
Enter a name and select TailFolder as command.
SGBox Agent

A new windows appears. Enter details of your command:

  • Name: a descriptive name of your command.
  • Description: brief description of your command ( not mandatory).
  • Frequency: how frequent these information will be sent to SGBox.
  • Directory Path: where how logs are located
  • File Name: Logs file name, also star expression could be used.
  • List Subdirectories: Use this flag if you want to look also logs located in the subdirectories.
  • Timestamp Pattern: a regex to find the correct timestamp of the logs.
  • Timestamp Format: Specify logs timestamp format.
  • Timezone: You can specify if the Timestamp is in Localtime or UTC.

SGBox Agent

ATTENTION: if the folder you are trying to monitor is inside C:/Windows/System32/ you need to use C:/Windows/sysnative/

Your command has been created. If you want you can add more commands to your configuration.
SGBox Agent
Click on Save Changes to save your configuration.

Drag & Drop your configuration to the target host and Save Changes.
SGBox Agent

When everything is configured you can see your logs in historical search
SGBox Agent

SGBox Agent

Configure File Integrity Monitoring

File Integrity Monitoring is new feature introduced with the last SGAgent version and it’s used to monitor files and shared folders. Using this feature you can monitor when a specific file is read, modified or deleted.

!Attention: File Integrity Monitoring is not File Auditing, you are not able to see the user that execute the action.

Requirements

  • SGBox 5.1.3 or higher.
  • SGAgent 3.4 or higher.

The FIM package can be installed from SCM>Applications>Packages: Click to install to download and install the package, then click on Run and select the hosts you want to monitor.
SGBox Agent

Go on LM>Configurations>Agents

In our example we create a specific configuration for this feature, but you can also create a new command on a existing configuration and modify it.
Click on “New Configuration” to create a new configuration and select CheckFolder.

SGBox Agent

A new window will appear to enter the command’s details:
SGBox Agent

    • Name: a descriptive name of your command.
    • Description: a short description of your command (not mandatory).
    • Frequency: how often this information will be sent to SGBox (60 sec suggested).
    • Directory Path: where the files or folders are located.
    • File Name: Name of the file (you can also use the star expression).
    • Check Subdirectories: Use this flag if you want to look at files located in sub directories as well.
    • File Integrity: Select the monitor mode* you want to use
    • Exclude files: you can specify some files to exclude for the monitor (not mandatory, regex supported)

Monitor Mode

  • Monitor Only: check the integrity when the PC and agent are running.
  • Monitor and store integrity: Store the integrity in a internal DB. Even if some operations on files are performed when the S.O or Agent are not running, the agent can identify them. Store large directories can seriously impact performance.

Click OK to save the command.
Click “Save Changes” to save your configuration.
SGBox Agent

Drag and drop your configuration to target host and click again on “Save Changes“.
SGBox Agent

When everything is set up you can see your logs in the historical search or from the “File Integrity Monitoring” dashboards.

FIM is very useful if you want to store critical configurations or backups.  It’s no suggested monitor all the C: storage. Here some interested folder to monitor:

C:\inetpub\wwwroot C:\Windows\Boot C:\Windows\System32\drivers\etc

Strict TLS connection with a Personal Certificate

Starting from version 3.7. it is possible configure the SGAgent to check the SGBox/Collector certificate before sending information.

Requirements:

  • SGAgent version 3.7
  • SGBox must have a valid certificate. Look this section.

After installed go in the installation directory. Default path is C:Files(x86)Agent** Open the file SGBoxTask.exe.config** as Administrator with a text editor like Notepad.

add the following entry after the connection strings: key=”IgnoreCertificate” value=”False”
SGBox Agent

Save the configuration and restart the SGBoxTask Service service.

Check the file SGBoxTaskLog.txt to verify that everything is ok.
Here an example of error:

220330 14.51.05 0000008 *** Error The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. System at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at SGBoxTask.Utils.Internet.GenerateCommandRequest(String uri, String ApplicationId, String login, String password)

Here an example when it works:

220330 14.54.20 0000004 Starting ServiceSGBoxTask 220330 14.54.20 0000006 Starting Main 220330 14.54.20 0000006 Params 0A002700000D https://sgbox192.sgbox.it/sgbox/LM/dataxchange/cmd.php https://sgbox192.sgbox.it/sgbox/LM/dataxchange/send.php 220330 14.54.20 0000006 SleepTime 10 msec 220330 14.54.20 0000006 RandomStartTimer 2 sec RandomMinStartTimer 1 220330 14.54.20 0000006 Enable TLS 1, 1.1, 1.2 220330 14.54.20 0000006 Starting StartSendPacket 220330 14.54.20 0000006 Starting StartGetCommand

Uninstall

Prerequisites

Before Uninstall the Agent be sure that (for all users connected to the server):

  • All mmc.exe instance are closed
  • All services panel (services.msc) are closed
  • The Task Manager (and Process Explorer) is temporary closed
  • All Event Viewer instance are closed

To uninstall the Agent, you must go to “Add/Remove Programs”, then select the “SGBox Agent” and select “Uninstall”.

Reinstall Note: It is recommended, in case of agent reinstall, to full restart the machine before proceeding with the new install.

Manual Full Remove

To Full remove the Agent if anything goes wrong, you must check and remove these items:

  • Service: Stop and remove the service, you can use this Powershell command:
    get-service SGBoxTask | stop-service then on a cmd window sc delete SGBoxTask
  • Registry: Find and delete this Regsitry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SGBoxTask
  • Folders: Full Remove this Folder: C:\Program Files (x86)\SGBox Agent

Update Agent

To update the Agent you must completely uninstall the old version (we recommend also to reboot the machine if possible), then install the new version with the specific installer.

Silent/Unattended Mode

Install

In order to distribuite SGAgent in silent mode you have to type the follwing command:

SetupSGBox.msi /q ServerIP="192.168.xxx.xxx"

SGBox Agent

Uninstall

In order to uninstall SGAgent in silent mode you have to type following command:

msiexec /q /x {C09891C0-0E34-4873-A869-F9DC136E67C2}

SGBox Agent

Troubleshooting

The Agent is composed by:

  • A service: named SGBoxTask, must be set on automatic start and running
  • Default Installation folder: C:\Program Files (x86)\SGBox Agent – Main files and folders
  • SGBoxTask.exe: is the main executable file and service
  • SGBoxTaskLog.txt: the main log file of agent itself
  • SGBoxAgent.exe.config: configuration file for the agent
  • C:\programdata\SGBoxTask\Packet: the folder where packet ready to be send, or cached are stored

How to analyze Agent log

The main log file is: SGBoxTaskLog.txt If you have any sort of problem related to the agent, you can send this file to assistance to check the stream.

Some useful rows to check the correct comunication are:

  • Row with the command: GetCommand, the agent is checking the command to execute coming from LM -> Configuration -> Agents
  • Detected OLD Reqest xxx: SGAgent has identified a cached command that is not used and has been marked as inactive. It’s informational
  • Read Json … : the Json command received from SGBox – Sending File … : a final packet has been sended to SGBox

Check Service

To check the service is running you can from a CMD execute this command:

sc query SGBoxTask

If status equal to Running the service si correctly running, otherwise must be started or check the whole configuration.

Reconfigure IP on change appliance IP

Attention: this procedure is valid only on change IP and not when you are migrating to new appliance istance or a new major version

To change the query IP point for the agent go to the configuration file SGBoxTask.exe.config in the default folder and change these rows:

  • <add key="SGCommandUrl" value="https://<ip_to_change>/sgbox/LM/dataxchange/cmd.php" />
  • <add key="SGResponseUrl" value="https://<ip_to_change>/sgbox/LM/dataxchange/send.php" />

SGBoxTask.exe.config Definition

  • <CommandDelay>: Time interval in seconds between the request of new command configuration coming from SGBox
  • <MaxLogFileSize>: Max size of the log file SGBoxTaskLog.txt
  • <LogLevel>: SGagent log verbosity level for SGBoxTaskLog.txt
  • <SGCommandUrl>: Complete Url interrogation for command list coming from SGBox
  • <SGResponseUrl>: Complete Url where log is sended to SGBox
  • <PageSize>: Max size in bytes of the file sended to SGBox each time
  • <SleepTime>: Milliseconds of delay before send the file to SGBox
  • <MaxPacketFolderSize>: Max size of the whole log waiting to be sended (or cached)

Network Connectivity Checklist

If the agent is unable to communicate with the Appliance/Collector, please check these actions to be sure that the communication over network is correct:

  • Check that machine firewall does not block the requests
  • Check that Antivirus installed does not block the requests
  • Check that network device between machine and main gateway does not block or drop requests
  • Check that no GPO configuration can collide with the agent requests
  • Check that the machine is enabled with communication with at least SSL 1.3

]]>
log decryption test https://www.sgbox.eu/en/knowledge-base/log-decryption-test/ Wed, 24 May 2023 13:41:54 +0000 https://www.sgbox.it/sgbox/EN/?post_type=epkb_post_type_1&p=8784 Log decryption test

This article explain where encrypted logs are stored in SGBox and how to perform some decryption test.

First of all you need to know that after SGBox receives the logs it store the them in the Online Database in order to allows to do some searchs with Historical Search tool (LM > Analysis > Historical Seach).
Meanwhile SGBox also analyze the logs in order to produce the events you can see in Class/Pattern Analysis, Templates, Dashboards, Reports, ecc..
Here you can find some more information on how logs are stored and their retention: data retention

The raw logs are also stored on the filesystem in encrypted format using GPG. You can see them in LM > Configuration > Encryption
In this page you are also able to download a specific log file and check it can’t be read without the SGBox GPG keys

log decryption test

In order to read it you need to download the GPG keys and store the in a file (read this article to know how to do it: Export GPG key)

WINDOWS
Download & Install a GPG program like GPG4WIN (https://www.gpg4win.org/).Run the progrma and choose Import botton. Select the previuosly exported GPG keys file.log decryption test

log decryption test

Choose Decrypt/Verify and select your file.

log decryption test

Click on Save All to save the unencrypted file

log decryption test

log decryption test

LINUX
  • Import your keys:
    gpg --import < sgbox_pub.key
    gpg --import < sgbox_priv.key
  • Run following command:
    gpg -d -q data_20200202050000_20200202055959_757.log.gpg
]]>
Logs Queries https://www.sgbox.eu/en/knowledge-base/log-queries/ Fri, 20 Jan 2023 08:18:14 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=8191 Configure query on SGBox logs

This article explain how to configure the Log Queries functionality, that allows you to obtain any data on SGBox logs. This queries can use to send alerts, create events or run a Playbook.

Requirements:

  • SGBox version 5.5.4

From SGBox menu, go to LM> Analysis > Events Queries and select New Query and select Logs
Use SQL syntax to write query sections:

  • SELECT: you can use placeholders $TIMESTAMP, $HOST, $LINE.
  • FROM: you to select hosts on which to perform the query.
  • WHERE: you can filter the value $LINE.
  • FINALLY: additional information to complete the query like GROUP or LIMIT

Logs Queries

You can now SAVE or TEST your query. Here the result:

Logs Queries

]]>
Directory Import https://www.sgbox.eu/en/knowledge-base/directory-import/ Tue, 26 Jul 2022 14:40:43 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=7648 Directory Import

This feature is used to upload file to SGBox using SFTP or SMB protocol.

Requirements:

  • SGBox version 5.1.0

First of all check your connection with log user. Credential has been set during the first wizard.
From a terminal like software (PuTTY). Move from the local folder to the “import” directory and create the application folder. Then assign the right privileges.

Directory Import

From LM > Configuration > Directory Import select “New Import“. The folder you created must be visible in the list.

Directory Import

You can upload files on SGBox using SFTP o SMB protocols.
!Note: The SMB protocol is not active by default. You need to active it using the CLI command.

In our example we upload a sample file in SFTP.

Directory Import

From the web interface you can see the uploaded file.

Directory Import

We suggest  to set up:

  • the IP and Name of the machine. After imported the logs will be associated to the specified host.
  • Put Active to ON in order to start the import.
  • Select Generic filter from the filter list. This is used to identify the timestamp in your logs.

If everything worked fine you will see the logs appear in the next window.

Directory Import

SGBox will check for new logs every minutes.

Directory Import

Directory Import

You can see the logs in LM > Analysis > Historical Search.

You can also download from here the sample file:
[button color=”accent-color” hover_text_color_override=”#fff” size=”small” url=”http://www.sgbox.it/download/7662/” text=”Download sample file” color_override=””]

]]>
Multiclass Analysis https://www.sgbox.eu/en/knowledge-base/multiclass-analysis/ Mon, 13 Jun 2022 09:17:51 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=7453

Multiclass Analysis

The Multiclass Analysis is usefull when you need to show a subset of the collected information. In this tool you can use regex to filter the different information. Following the release of version 6.0.0 please go to the link: https://www.sgbox.eu/en/knowledge-base/the-custom-report-panel-functionalities-and-usage/

Requirements:

  • SGBox Version 4.2.1.

Examples:

  • You need show all the user that starts with admin_
  • You need to exclude temporary files
  • You need to filter specific events or categories

After the information are collected and shown in Class/Pattern Analysis, you can go on LM > Configuration > Multi-class Analysis.

Multiclass Analysis

Select the interested Classes, hosts, Patterns and at the end the apply your filter:
Multiclass Analysis

in the previous example we have:

  • Filtered the HttpURL that ends with / in order to identify the page name
  • Excluded all the HTTPUser-agent that have the word bot or crawler

You can save your search as Template or produce a report directly from here.

You can also create a dashboard on the filtered values: from SCM > Dashboard > Dashboard. Select Dashboard > Create New Dashboard > New Widget then Multiclass Analysis from the provided menu.
Multiclass Analysis

Select the saved Template to create the dashboard:
Multiclass Analysis

 

]]>