app – SGBox Next Generation SIEM & SOAR

API configuration on Telegram

SGBox — Thu, 05 Mar 2026 14:38:50 +0000

API Key configuration

This articles explain how to configure SGBox to interact with Telegram API in order to send alert messages when a specific event occur.

Requirements:

SGBox version 4.2.4 with the LM and LCE modules.
A Telegram BOT.

There are many tutorial about how to configure a Telegram BOT. We choose @BotFather for our example.
First you need to create your bot and obtain your TOKEN:

A token is something like: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1.
You need also a the chat_id, so: start and say “Hello” to your bot, than retrieve the chat id:

From your browser go to:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/getupdates

Find the ID in the response:

id: 124229696

API Key configuration

Log in to SGBox and download Telegram application:
From SCM > Application > SOAR PREMIUM download and install Telegram application.

Go to PB > Playbooks > Telegram_Alert

Edit Telegram BOT credential

Name fileld: bot_id ( do not change ), ( we can find in the first part of our guide the credentials that need to be entered )

Value: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1

Name fileld: chat_id ( do not change ), ( we can find in the first part of our guide the credentials that need to be entered )

Value: 124229696

Also when we finisched to insert our credential, we can test all and save, close the window

SGBox SOAR Usage

Afetr we need to create an Event/logs queries to connect with the Telegram_Alert’s Playbook, we have to go to LM > Analysis > Event/logs queries

Create new Queries with the blue button on the right

in the select we put the parameters that we are interested in seeing in the future message that will arrive on our Telegram.

On this example we write:

 $HOST as Host, $EVENT as Action, $PARAM:[TargetUserName] as details, $TIMESTAMP as Timestamp

Now set your “FROM” ( The class or classes )

Now i choose the event or events:

Important: we need to verify the proper functioning of our query, NB: before clicking the test button, chech the range time

Now press the button = ” Show Scheduling Options “

put the tick on the flag ” Run Playbook ” and choose our Telegram alert

back to the playbook section

go to format message

same passage as before click on the edit button, in the section text we write the telegrammessage that will come to us once we set :

Telegram Alert

Host: $1

Action: $2 

Details: $3

Timestamp: $4

the values refer to the query we made earlier, to add parameters in the text message click on plus or trash to delete

Save all with the button on the right “save”

Back to Playbook section, search Telegram_Alert and check the status of the playbook on the right side, if it’s green playbook will alert you whenever the event we have indicated will happen

If it’s all correctly, after the login telegram alert me that someone has done a LogonOK

Configure Oracle App

SGBox — Tue, 03 Jan 2023 10:41:46 +0000

Download and Configure Microsoft SQL App

This articles explain how to configure Oracle App in order to retrieve logs from a specified database table.
Requirements:

SGBox version 4.2.5

Go to the application lists from SGBox go to SCM > Applications

Select Vendors Integrations and download the application Log from Oracle. Click on INSTALL. Once Installed click on EDIT icon

You need to configure the application as follow:

Host: Database IP SID: Oracle SID Port: DB port Username: Oracle user used to login Password: Oracle user's password Star Date: Initial date to retrieve logs Timestamp field: The Column name that contain the timestamp Timestamp table: The table that contain the timestamp Separate field: Character used to separate information once retrieved Query: query used to extract information

IT’S VERY IMPORTANT TO NOT PUT ANY TIMESTAMP CONDITION OR * IN THE SELECT FIELD

After configured you need to schedule the application to be executed. See this section to know how to schedule an application.

The first time the application has been run some components are added and if everything is ok you can see in LM > Analysis> Historical Search the results

Once executed you’ll see your logs LM > Analysis > Historical Search

If yuo have more databases or more SQL Server you can clone it and configure a new one.

Configure MySQL App

SGBox — Fri, 27 Mar 2020 22:39:24 +0000

Download and Configure MySQL App

This articles explain how to configure MySQL App in order to retrieve logs from a specifc database table.
Before start here you can see how our database is configured:

Requirements:

SGBox version 4.2.5

Go to the application lists from SGBox go to SCM > Applications

Select Vendors Integrations and download the application Log from MySQL

You need to configure the application as follow:

Host: Database IP Username: SQL user used to login Password: SQL user's password Star Date: Initial date to retrieve logs Timestamp field: The Column name that contain the timestamp Timestamp table: The table that contain the timestamp Separate field: Charater used to separate information once retrieved Query: query used to extract information DB name: The database name

After configured you need to schedule the application to be executed. See this section to know how to schelude an application.

Once executed you’ll see your logs LM > Analysis > Historical Search

If yuo have more databases or more SQL Server you can clone it and configure a new one.

Configure MSSQL App

SGBox — Fri, 27 Mar 2020 19:49:50 +0000

Download and Configure Microsoft SQL App

This articles explain how to configure MSSQL App in order to retrieve logs from a specificd database table.
Before start here you can find how our database is configured by logging in with SQL Authentication:

You can see:

In red: the database configuration
In black: the query results

Requirements:

SGBox version 4.2.5
The SQL Authentication must be used to execute the query

Go to the application lists from SGBox go to SCM > Applications

Select Vendors Integrations and download the application Log from SQL Server

You need to configure the application as follow:

Host: Database IP Connection string: Used connect to the database Username: SQL user used to login Password: SQL user's password Star Date: Initial date to retrieve logs Timestamp field: The Column name that contain the timestamp Timestamp table: The table that contain the timestamp Separate field: Charater used to separate information once retrieved Query: query used to extract information

After configured you need to schedule the application to be executed. See this section to know how to schelude an application.

The first time the application has been run some components are added and if everything is ok you can see in LM > Analysis> Historical Search the results

Once executed you’ll see your logs LM > Analysis > Historical Search

If yuo have more databases or more SQL Server you can clone it and configure a new one.

SGBox App Restore

SGBox — Wed, 05 Feb 2020 16:59:36 +0000

Configure SGBox Restore Application

This article explains how to configure SGBox App Restore in order to restore your Raw log data, Raw logs signatures, Database and Settings.

Requirements:

Share the backup data folder with SGBox using SMB, NFS, or SSH protocols.

Go under SCM > Applications > Backup
Select the application to use and proceed with the Download and install.
Note: The choice of the restore application depends on which application was previously used for the backup. For example, if you used “SGBox Backup SMB” to back up your data, you must then use the “SGBox Restore SMB” application for the restore process.

After installing the Restore App, configure the required settings and click OK to apply changes.

To start the restore application, click the RUN button.
Note: a pop-up will appear with the message ‘Reading from restore path… this operation may take a few minutes‘ Please wait until the option to proceed becomes available.

Restore Options

Raw log data Allows you to restore encrypted raw logs. You must also specify a start date and the host list you wish to restore.
Raw logs signatures Allows you to restore the signatures associated with encrypted raw logs.
SGBox Database Allows you to restore databases, configurations, and settings related to the databases within SGBox. You must specify the start date for the restore. Note: This option lets you choose which specific date’s database to import; it is recommended to use the most recent date to ensure all the latest data and changes are recovered.
SGBox Settings Allows you to restore the general settings and specific lists configured within SGBox.

Click the Restore button to start the activity and wait until it is completed.

To verify the success of the operation, ensure that the data has been correctly updated in your SGBox. Additionally, you can review the restore status in the notification email with the subject ‘SGBox Restore‘ which is automatically sent after every restore activity.

Schedule Application

SGBox — Wed, 05 Feb 2020 14:21:00 +0000

Schedule application execution

Some applications need to be scheduled in order to be executed.
This articles explain how to configure SGBox schedule job in order to execute them at specific time recursively.

Requirements:

SGBox version 4.2.0.
Specific application must be installed.

From SCM > Applications select SCHEDULE LIST. Then click on NEW SCHEDULATION

Create the New Schedulation by complete all the required parameters and selecting the application.
In this case for example we select SGBox Backup but you can choose your application.

After configured you can see your schedulation in the list.

User Behavior Analytics

SGBox — Wed, 28 Aug 2019 10:16:35 +0000

User Behavior Analytics (UBA)

The behavior analysis is an extension of the Risk Analysis and takes into consideration all the events related to the user and performs a series of evaluations to define whether the behavior of a certain user is considered “normal” or not.
Statistical algorithms analyze the historical data related to the user, the actions performed and the hosts on which these actions took place.

Requirements:

SGBox Version 4.2.1.
The User Behavior Analytics must be unlocked. Contact us for more information.

Examples of anomalies:

the user Mario always connects in VPN every morning at 9 AM. One day starts the VPN at 3AM.
the user Giovanni has never accessed to the core switch. One day he access.
the user Luigi has never seen before. One day he login to a Windows system.

Evaluations performed:

is the user known?
has the user already performed this particular action?
has the user already performed this particular action in this time interval?
has the user already performed this particular action on this host?
how do other users behave about this particular action?

The purpose of this analysis, as said, is to define if a behavior can be considered ’normal’. All the different algorithms applied to the historical data, will define the score (risk level) that will be assigned to the user.

UBA Configurations

Only few parameters can be modified to fine tune the user behavior analysis algorithms. In the “advanced options” section, you can:

enable or disable the learning mode. If unchecked the learning mode is disabled, and the analysis will be performed. If you enable this flag you should also define an expiration date of the learning mode, when the learning mode will be automatically disabled. If you enable this flag with few events it is possible that you start receiving a lot of warning messages, since there’s no history.
define an email address that will receive all the messages coming from the behavior analysis
by default everything that happens during the last (by default) 15 days represent the analysis base. Meaningful values varies from 15 to 30 days
You can define a retention time for the users baseline. This is generally two times the analysis base and the acceptable range is between the analysis base value and 60.
last option represents the minimum percentage beyond which the event is considered to be at risk.

You can also specify with events are involved in UBA by enable them in LM > User Behavior Analytics.
Here is also required to select the User Parameter.

Dashboards
Results should be accessed by dashboards. The application will deploy four new dashboards called “User Behavior Analytics – *”. Please take a look at the dashboards and don’t forget that while the application is in learning mode, nothing will be displayed.
The application also enables a new widget called “User Behavior analytics”. You can create your own dashboards by mixing different views enabled by this widget.

Lists
The application will modify also the Lists view (SCM > Actions > Lists) by adding a new column called “UBA”. When a list file is selected, this will be used in the user behavior analysis application to match the current user with other users. List file should contain a set of users that should belong to the same group (or role) of the current user. You can use a group to include and/or exclude a user from a group. If both include and exclude flag are selected, the list is used first as an include list and if there is no match, it will be used as an exclude list (compare user behavior against users not present in that list).