: Set up SIEM for Integration
Focus
Focus

Set up SIEM for Integration

Table of Contents

Set up SIEM for Integration

Set up the SIEM server for integration with IoT Security through IoT Security.
  1. Configure the SIEM server to accept the following device attributes from IoT Security.
    The field names in the first three rows are predefined, standard names. The field names in the remaining rows must be defined for IoT Security device attributes.
    Device Attribute (IoT Security)SIEM Field Name
    1IP Addressdvc
    2MAC Addressdvcmac
    3Hostnamedvchost
    4Profilecs1Label=Profile
    5Categorycs2Label=Category
    6Profile Typecs3Label=Profile
    7Vendorcs4Label=Vendor
    8Modelcs5Label=Model
    9VLAN IDcs6Label=Vlan
    10Sitecs7Label=Site
    11Risk Scorecs8Label=RiskScore
    12Risk Levelcs9Label=RiskLevel
    13Subnetcs10Label=Subnet
    14Number of Critical Alertscs11Label=NumCriticalAlerts
    15Number of Warning Alertscs12Label=NumWarningAlerts
    16Number of Caution Alertscs13Label=NumCautionAlerts
    17Number of Info Alertscs14Label=NumInfoAlerts
    18First Seen Datecs15Label=FirstSeenDate
    19Confidence Scorecs16Label=ConfidenceScore
    20OS Groupcs17Label=OsGroup
    21OS/Firmware Versioncs18Label=OsFirmwareVersion
    22OS Supportcs19Label=OsSupport
    23OS End of Supportcs20Label=OsEndOfSupport
    24Serial Numbercs21Label=SerialNumber
    25Endpoint Protectioncs22Label=EndpointProtection
    26Network Locationcs23Label=NetworkLocation
    27AETcs24Label=AET
    28DHCPcs25Label=DHCP
    29Wired or Wirelesscs26Label=WireOfWireless
    30SMBcs27Label=SMB
    31Switch Portcs28Label=SwitchPort
    32Switch Namecs29Label=SwitchName
    33Switch IP Addresscs30Label=SwitchIp
    34Servicescs31Label=Services
    35Servercs32Label=IsServer
    36NAC Profilecs33Label=NAC_Profile
    37NAC Profile Sourcecs34Label=NAC_ProfileSource
    38Access Point IP Addresscs35Label=AccessPointIp
    39Access Point Namecs36Label=AccessPointName
    40SSIDcs37Label=SSID
    41Authentication Methodcs38Label=AuthMethod
    42Encryption Ciphercs39Label=EncryptionCipher
    43AD Usernamecs40Label=AD_Username
    44AD Domaincs41Label=AD_Domain
    45Applicationscs42Label=Applications
    46Tagscs43Label=Tags
    47OS Combinedcs44Label=os_combined
    IoT Security supplies Cortex XSOAR with device attributes, and XSOAR converts them into Common Event Format (CEF) before sending them to the SIEM server.
    Example of the device attributes for an Apple iPad in CEF:
    "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|asset|Asset Identification|1|dvc=10.1.1.39 dvcmac=cc:d2:81:33:bd:6a dvchost=iPad cs1Label=Profile cs1=iPad cs2Label=Category cs2=Smartphone or Tablet cs3Label=Type cs3=Non_IoT cs4Label=Vendor cs4=Apple Inc. cs5Label=Model cs5=iPad11,1 cs6Label=Vlan cs6=330 cs7Label=Site cs7=test-1117-04 cs8Label=R5iskScore cs8=20 cs9Label=RiskLevel cs9=Low cs10Label=Subnet cs10=10.1.1.0/24 cs15Label=FirstSeenDate cs15=2020-04-07T22:04:20.000Z cs16Label=ConfidenceScore cs16=95 cs17Label=OsGroup cs17=iOS cs22Label=EndpointProtection cs22=not_protected cs25Label=DHCP cs25=Yes cs26Label=WireOrWireless cs26=wireless cs42Label=Applications cs42=Zoom,iCloud,iTunes cs44Label=os_combined cs44=iOS"
    Example of an alert about an outdated version of Chrome:
    "CEF:0|PaloAltoNetworks|PANWIOT|1.0|PaloAltoNetworks Alert:policy_alert|Outdated Chrome version used by IoT device|2|dvcmac=14:91:38:b5:22:18 src=10.1.20.14 shost=unknown dhost=UNKNOWN URL fileId=0oakC30 fileType=alert rt=2020-12-30T23:07:24.000Z deviceCustomDate1=1609369890526 cs1Label=Description cs1=The usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks. cs2Label=Values cs2=[{'label': 'user agent', 'value': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36'}]"
    Example of a vulnerability test:
    "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|vulnerability|Vulnerability Test - Medium|1|dvc=10.1.3.54 dvcmac=64:16:7f:4c:d1:53 dvchost=Polycom_64167f4cd153 cs1Label=Profile cs1=Polycom Video Conferencing Device cs2Label=Category cs2=Video Audio Conference cs1Labe3=Profile cs3=Office cs4Label=Vendor cs4=Polycom cs5Label=Model cs5=Trio8800 cs8Label=RiskScore cs8=26 cs9Label=RiskLevel cs9=Low cs11Label=vulnerabilityName cs11=Vulnerability Test - Medium cs12Label=DetectionDate cs12=2020-12-23T23:59:59.000Z cs17Label=OsGroup cs17=Embedded cs19Label=OsSupport cs19=Embedded"
  2. Note the IP address of the SIEM server and the port number on which it listens for syslog messages.
    You will need this information when configuring the SIEM instance in Cortex XSOAR.