Applications – SGBox Next Generation SIEM & SOAR

Telegram App

SGBox — Tue, 18 Jun 2024 09:19:38 +0000

Configure SGBox to use Telgram API in LCE Module and send alert messages

This articles explain how to configure SGBox to interact with Telegram API in order to send alert messages when a specific event occur.

Requirements:

SGBox version 4.2.4 with the LM and LCE modules.
A Telegram BOT.

There are many tutorial about how to configure a Telegram BOT. We choose @BotFather for our example.
First you need to create your bot and obtain your TOKEN:

A token is something like: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1.
You need also a the chat_id, so: start and say “Hello” to your bot, than retrieve the chat id:

From your browser go to:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/getupdates

Find the ID in the response:

id: 124229696

Telegram App Installation

Install Telegram application: SCM > Applications

> Packages

find the “Telegram Alert”, in this case the package is already installed but the installation’s button is in the same place

After the dowmload we verify in PB

When PB is open search Tlegram alert in filter name

When we find Telegram_Alert we need to modify with the button on the right side

Telegram_Alert’s Playbook has this format

Afetr we need to create an Event/logs queries to connect with the Telegram_Alert’s Playbook, we have to go to LM > Analysis > Event/logs queries

Create new Queries with the blue button on the right

in the select we put the parameters that we are interested in seeing in the future message that will arrive on our Telegram.

On this example we write:

 $HOST as Host, $EVENT as Action, $PARAM:[TargetUserName] as details, $TIMESTAMP as Timestamp

Now set your “FROM” ( The class or classes )

Now i choose the event or events:

Important: we need to verify the proper functioning of our query, NB: before clicking the test button, chech the range time

Now press the button = ” Show Scheduling Options “

put the tick on the flag ” Run Playbook ” and choose our Telegram alert

back to the playbook section

we have to set our Telegram bot credential, to do it we can go on the second rectangle from the left and click on modify:

Name fileld: bot_id ( do not change ), ( we can find in the first part of our guide the credentials that need to be entered )

Value: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1

Name fileld: chat_id ( do not change ), ( we can find in the first part of our guide the credentials that need to be entered )

Value: 124229696

Also when we finisched to insert our credential, we can test all and save, close the window

go to format message

same passage as before click on the edit button, in the section text we write the telegrammessage that will come to us once we set :

Telegram Alert

Host: $1

Action: $2 

Details: $3

Timestamp: $4

the values refer to the query we made earlier, to add parameters in the text message click on plus or trash to delete

Save all with the button on the right “save”

Back to Playbook section, search Telegram_Alert and check the status of the playbook on the right side, if it’s green playbook will alert you whenever the event we have indicated will happen

If it’s all correctly, after the login telegram alert me that someone has done a LogonOK

Packages Management

SGBox — Fri, 15 Sep 2023 14:27:09 +0000

Main Concept

A package is a box that contains many preconfigured items for a specific vendor or functionality.

Typically a package may contains:

pattern
class
template
dashboard
profiles and vendors association
playbook

In a multitenant environment, a package must be updated tenant by tenant.

Package Installation

You can check the package list to retreive and install pre-configured objects to integrate in you appliance. To install a package you can reach the page from SCM -> Applications -> Packages

Select the package that you need to install and start the process with “Install” button, a popup will appear. To confirm the installation
you need to select the button “Download and Install”

Once downloaded the package, you must associate it with the hosts, to permit the system to automatically associate these hosts to the correct Class, Template, Vendor, and other related objects to permit to parse the log and convert it into events.

Package content preview and filter objects installation

To view the content of the package before the install to Hosts, you can select the button “Customize” near the “Install Button” to view all
the objects inside it. You can also select only objects that you need.

Installation re-run

If you want to associate other hosts after the first package wizard, you can re-run the wizard with the “play” ▶ button near the related
package.

With this options you can: – Add new Host – Configure a different e-mail for all the Rules and Actions – Review the package content with “Customize”)

Package Update

If a new package version is available, a new icon appear under the “play” icon, with double arrows in circle 🔁.

You can review the package content and then update it.

❗ Update Note: please remind that every items in the package may be overwritten (ID of the object as reference) when confirm the updating. This may include name modification, action reset in the LCE Rule or Event Queries actions and so on.

Package removal

To remove a package you can select the “Trash” 🗑 icon then confirm the deletion in the next popup.

Removal Note: Please remind that the removal do not remove the associated active elements, these must be removed manually.

Custom package

In multitenant or multimanagement environment, you can create a custom package. A custom package must be uploaded manually on every tenant and mantain low IDs on the object.

Creation

To create a package you need to go on SCM -> Actions -> Packages

Next you can select elements to include in the package:

An already present package to start from. This is used mainly to produce official package.
Multiple elements to include like patterns, class, dashboards, rules, templates, event queries, playbook, profiles and vendors.
Actions like
1. Download package: with this option you can download the newly created package. With this option you must provide a name, short description and optional (but recommended) a logo (square format 1:1, any other aspect ratio will be stretched, no trasparent is recommended to provide theme compatibility). The package will start download in encrypted format
2. Export to tenants: option present only with impersonificated user in multitenant environment. This allow to share elements directly in other tenants. Once selected in the next popup you can select the tenants where to share objects.

Note: pay attention to the objects dependencies (eg. dashboard with widget come from Template or EQ), these are not shown in the page during creation, due to flexibility in the creations steps.

New Package Export

This section describes how to use the new version of the page that allows you to export a set of objects in a package, or transfer them to other tenants of a Multi tenant environment.
The main innovation of the new version of the package export page is the ability to show all types of objects together. When you first open the page, you see all existing objects, with a maximum of 1000 displayed. Then, you can filter the list by:

Package(s): to see all the objects contained in one (or more, combined) package already installed on SGBox.
Name and description: write any text to see all the objects that contain it, in their name or description.
Types: to see only objects of certain types (e.g. dashboard, patterns).
Tags: to see only objects associated with the selected tags.

All filters can be combined, so you can see, for example, all Classes and Patterns named like “Watchguard”. You have to click on the FILTER button to apply the filters.

The FILTER button does not apply to the package selection filter, which works immediately and also pre-selects the objects contained in the package(s). This allows you to edit an existing package, by simply adding new objects or deselecting the ones you want to remove from the package.

Objects can be selected if it has the switch enabled, to include it in the package that will be exported. If an object cannot be selected, it’s just for display; it will be automatically included in the package if related to selected objects. When you select an object, the systems highlights with a check icon all the other objects that are related to the selected one. Those related objects will be included in the package too. without need to be manually selected.

As the related objects may not be visible immediately in the list, the button PREVIEW at the bottom right of the page can be used to show, at any time, all the objects that will be included in the package.

The search icon next to any object that can be selected, allows you to see a preview of all the objects related to the one you clicked, to see what would be included in the package if that object was selected.

Upload on tenant

Once downloaded the package in encrypted format, you can upload it in other tenants by enter in the target tenant and upload it via
SCM -> Applications -> Upload App.

Once uploaded a new Section in the application will appear “Custom”

Update custom package

When update a custom package, the package match the object by the name and/or ID of the object already present in the appliance, so pay attention by renaming objects already exported or recreating it.

Syslog forwarding from sgbox to another server

SGBox — Tue, 23 May 2023 16:05:09 +0000

Syslog forwarding from sgbox to another server

This article explain how to forward logs/events received from SGBox to another server using syslog protocol.
First off all you need to download the “SGBox syslog forwarder” application or ask support via ticket to unlock it.
Remember that this application reads data from internal repository and forwards log, events or incidents to an external syslog server.

From SCM > Application > Tools click install on SGBox syslog forwarder application.

Launch the application and configure it

IP Address	Only IP addresses are allowed in the “Remote syslog server address”
Class ID	The field Class ID allows to specify one or more classes to retrieve logs and events from. User can specify a class by specifying its class id (LM->Configuration->Class, the # column). Comma separated class IDs are allowed to identify more hosts and events that should be forwarded. As an alternative, user can create a single new class containing all the hosts/events that should be forwarded; this solution is less readable, but allowed
Protocol	Protocol can be TCP or UDP. Use TCP if possible, since it is more a reliable protocol
Port	Destination Port
Send RAW data from hosts in this classes corresponding to the selected events	tells SGBox to forward just the logs used to generate an event (i.e. in a “logon” class, only the raw data that represents a logon will be forwarded).
Send all RAW data from hosts in this classes	tells SGBox to forward all the logs from the hosts that belong to the selected class (more verbose)
Send events (JSON format)	tells SGBox to forward only the events that were generated by the events extraction system. Incidents (events that were generated by correlation rules) can be forwarded as well and you need to specify the classes they are bound to, in the Class ID field (again, in LM->Configuration->Class)

Additional information:

Data is sent by using rfc5424.
Raw data and events are sent with the same origin and timestamp as the original raw log and event.
Raw data is sent in plain text
Events are sent in json format

After configured you need to schedule your app! See this section to know how to do it.

Configure Oracle App

SGBox — Tue, 03 Jan 2023 10:41:46 +0000

Download and Configure Microsoft SQL App

This articles explain how to configure Oracle App in order to retrieve logs from a specified database table.
Requirements:

SGBox version 4.2.5

Go to the application lists from SGBox go to SCM > Applications

Select Vendors Integrations and download the application Log from Oracle. Click on INSTALL. Once Installed click on EDIT icon

You need to configure the application as follow:

Host: Database IP SID: Oracle SID Port: DB port Username: Oracle user used to login Password: Oracle user's password Star Date: Initial date to retrieve logs Timestamp field: The Column name that contain the timestamp Timestamp table: The table that contain the timestamp Separate field: Character used to separate information once retrieved Query: query used to extract information

IT’S VERY IMPORTANT TO NOT PUT ANY TIMESTAMP CONDITION OR * IN THE SELECT FIELD

After configured you need to schedule the application to be executed. See this section to know how to schedule an application.

The first time the application has been run some components are added and if everything is ok you can see in LM > Analysis> Historical Search the results

Once executed you’ll see your logs LM > Analysis > Historical Search

If yuo have more databases or more SQL Server you can clone it and configure a new one.

AWA – Advanced Windows Audit

SGBox — Fri, 02 Jul 2021 15:40:09 +0000

How to configure and run AWA – Advanced Windows Audit

AWA is an SGBox feature that leverage on the Microsoft Sysmon free Tool to increase the visibility of your Windows environment. AWA will help to detect malicious activity and promote better understanding of the in-deep aspect of Windows machines, by tracking many events and detailed information such as DNS Queries, Inbound/Outbound Connections, Registry changes, File tampering, Process Creation, Process Memory Usage, and many more.

AWA PACKAGE	The AWA Package comes with a rich set of dashboards to explore and drill on the information gathered. SGBox easy approach to customization, will allow customers to extend base packages based on their needs, creating new LCE Detections, Reports and Dashboards.
REAL TIME MONITORING	It is very easy and useful to create specific alert using the detailed AWA generated events to monitor the under the hood process and potential malicious activities.
MITRE ATT&CK MAPPING	Based on the work of Olaf Hartong, on the Sysmon configuration file, AWA is also capable to map specific events to the MITRE ATT&CK framework. The AWA package extends the MITRE mapping capability with specific functionalities as the on-line Tactic & Techniques viewer matrix, or the Dashboard embedded contextual Technique browser.
CUSTOMIZABLE	AWA Sysmon configuration file is completely customizable, so the starting set can be extended to include customer needed events generation by updating the configuration. For example, it is possible to monitor the termination of specific process, the changes made to a specific registry key and many other hidden events.
EASY SETUP	The AWA Package is extremely easy to install and deploy, so switch from a normal to an in-deep visibility is a matter of minutes. Sysmon and his, SGBox customized, configuration can be easily deployed through a GPO login script or any other Software Distribution tool, it does not require a machine reboot. Once the Sysmon executable has been deployed you just need to install the SGBox Advanced Windows Auditing package to have everything up and running.

First of all you need to download Sysmon and the its configuration file. Install it in the computer you want to monitor

TIP
The package currently support Sysmon v13.02, so please be sure to install and configure the proper Sysmon version. Please follow the previous links to download the right Sysmon version and the corresponding configuration file.
After that you need to download the AWA package from SGBox: SCM > Application > Packages > AWA – Advanced Windows Audit. After installed: Run the package, select the hosts with Sysmon installed, then click on Install

The AWA package -as explained before- creates a lot of classes, reports as dashboards. You can see the Sysmon events in Windows Sysmon Events class.
You can select one of the interested events and analyzed it.

Search in the event the Mitre Technique ID. In this case is the parameter TID.

From SCM > Dashboard > Dashboard. Create new dashboard and select Mitre Att&ck. Select the parameter you want to see and in particular the Mitre parameter

The discovered techniques will turn on on the dashboard.

Configure MySQL App

SGBox — Fri, 27 Mar 2020 22:39:24 +0000

Download and Configure MySQL App

This articles explain how to configure MySQL App in order to retrieve logs from a specifc database table.
Before start here you can see how our database is configured:

Requirements:

SGBox version 4.2.5

Go to the application lists from SGBox go to SCM > Applications

Select Vendors Integrations and download the application Log from MySQL

You need to configure the application as follow:

Host: Database IP Username: SQL user used to login Password: SQL user's password Star Date: Initial date to retrieve logs Timestamp field: The Column name that contain the timestamp Timestamp table: The table that contain the timestamp Separate field: Charater used to separate information once retrieved Query: query used to extract information DB name: The database name

After configured you need to schedule the application to be executed. See this section to know how to schelude an application.

Once executed you’ll see your logs LM > Analysis > Historical Search

If yuo have more databases or more SQL Server you can clone it and configure a new one.

Configure MSSQL App

SGBox — Fri, 27 Mar 2020 19:49:50 +0000

Download and Configure Microsoft SQL App

This articles explain how to configure MSSQL App in order to retrieve logs from a specificd database table.
Before start here you can find how our database is configured by logging in with SQL Authentication:

You can see:

In red: the database configuration
In black: the query results

Requirements:

SGBox version 4.2.5
The SQL Authentication must be used to execute the query

Go to the application lists from SGBox go to SCM > Applications

Select Vendors Integrations and download the application Log from SQL Server

You need to configure the application as follow:

Host: Database IP Connection string: Used connect to the database Username: SQL user used to login Password: SQL user's password Star Date: Initial date to retrieve logs Timestamp field: The Column name that contain the timestamp Timestamp table: The table that contain the timestamp Separate field: Charater used to separate information once retrieved Query: query used to extract information

After configured you need to schedule the application to be executed. See this section to know how to schelude an application.

The first time the application has been run some components are added and if everything is ok you can see in LM > Analysis> Historical Search the results

Once executed you’ll see your logs LM > Analysis > Historical Search

If yuo have more databases or more SQL Server you can clone it and configure a new one.

Export SGBox GPG Key

SGBox — Thu, 06 Feb 2020 13:57:55 +0000

How to export SGBox GPG Key

This articles explain how to export the SGBox private and public keys in order to decipher your logs out of SGBox.

Requirements:

SGBox version 4.2.0 or later.
Only the default Admin user can export the key.
The supervisor password must be set in SCM > Advanced Options, Supervisor Password.
- Note: In case the previously set password is lost. customers are asked to open a ticket to SGBox support via the ticket platform(https://sgboxportal.sgbox.it) by entering “Password Change for Supervisor” in the subject of the ticket.

From SGBox go to SCM > Applications
Due to SoD restriction, keys are not available by default. You need to send an email to support@www.sgbox.it and asking for unlock it.

Once unlocked a new section Tools appears. Go to SCM > Applications > Tools
Install the application GPG key export and click PLAY button.

Insert the Supervisor password and the keys will be shown.
Take your time to copy and store them in a safe place.

Here couple of examples of how to decrypt logs: Log decryption

SGBox Restore

SGBox — Wed, 05 Feb 2020 16:59:36 +0000

Configure SGBox Restore Application

This article explains how to configure SGBox APP in order to restore your log or Database to SGBox.

Requirements:

SGBox version 4.2.4
Shared Forlder on your server.

Install SGBox Backup Application: SCM > Applications > Backup
You can choose to use SMB or NFS protocol to restore your files. After installed you need to configure it.

Click PLAY and wait 90 seconds to start restore process:
If you select Raw log data you need also to specify a start date and host list you want restore.

If you select SGBox Database you need also to specify a start date you want restore.

Schedule Application

SGBox — Wed, 05 Feb 2020 14:21:00 +0000

Schedule application execution

Some applications need to be scheduled in order to be executed.
This articles explain how to configure SGBox schedule job in order to execute them at specific time recursively.

Requirements:

SGBox version 4.2.0.
Specific application must be installed.

From SCM > Applications select SCHEDULE LIST. Then click on NEW SCHEDULATION

Create the New Schedulation by complete all the required parameters and selecting the application.
In this case for example we select SGBox Backup but you can choose your application.

After configured you can see your schedulation in the list.

Applications – SGBox Next Generation SIEM & SOAR

Telegram App

Configure SGBox to use Telgram API in LCE Module and send alert messages

Telegram App Installation

Packages Management

Main Concept

Package Installation

Package content preview and filter objects installation

Installation re-run

Package Update

Package removal

Custom package

Creation

New Package Export

Upload on tenant

Update custom package

Syslog forwarding from sgbox to another server

Syslog forwarding from sgbox to another server

Configure Oracle App

Download and Configure Microsoft SQL App

AWA – Advanced Windows Audit

How to configure and run AWA – Advanced Windows Audit

AWA PACKAGE

REAL TIME MONITORING

MITRE ATT&CK MAPPING

CUSTOMIZABLE

EASY SETUP

Configure MySQL App

Download and Configure MySQL App

Configure MSSQL App

Download and Configure Microsoft SQL App

Export SGBox GPG Key

How to export SGBox GPG Key

SGBox Restore

Configure SGBox Restore Application

Schedule Application

Schedule application execution