IoT Security Integration Guide
    : Set up SIEM for Integration
    Focus
    Download PDF
    Focus
    1. Home
    2. IoT
    3. IoT Security Integration Guide
    4. Security Information and Event Management
    5. Set up SIEM for Integration
    Download PDF

    IoT Security Integration Guide

    Set up SIEM for Integration

    Table of Contents

    Set up SIEM for Integration

    Set up the SIEM server for integration with IoT Security through Cortex XSOAR.
    1. Configure the SIEM server to accept the following device attributes from IoT Security.
      The field names in the first three rows are predefined, standard names. The field names in the remaining rows must be defined for IoT Security device attributes.
      Device Attribute (IoT Security)
      SIEM Field Name
      1
      IP Address
      dvc
      2
      MAC Address
      dvcmac
      3
      Hostname
      dvchost
      4
      Profile
      cs1Label=Profile
      5
      Category
      cs2Label=Category
      6
      Profile Type
      cs3Label=Profile
      7
      Vendor
      cs4Label=Vendor
      8
      Model
      cs5Label=Model
      9
      VLAN ID
      cs6Label=Vlan
      10
      Site
      cs7Label=Site
      11
      Risk Score
      cs8Label=RiskScore
      12
      Risk Level
      cs9Label=RiskLevel
      13
      Subnet
      cs10Label=Subnet
      14
      Number of Critical Alerts
      cs11Label=NumCriticalAlerts
      15
      Number of Warning Alerts
      cs12Label=NumWarningAlerts
      16
      Number of Caution Alerts
      cs13Label=NumCautionAlerts
      17
      Number of Info Alerts
      cs14Label=NumInfoAlerts
      18
      First Seen Date
      cs15Label=FirstSeenDate
      19
      Confidence Score
      cs16Label=ConfidenceScore
      20
      OS Group
      cs17Label=OsGroup
      21
      OS/Firmware Version
      cs18Label=OsFirmwareVersion
      22
      OS Support
      cs19Label=OsSupport
      23
      OS End of Support
      cs20Label=OsEndOfSupport
      24
      Serial Number
      cs21Label=SerialNumber
      25
      Endpoint Protection
      cs22Label=EndpointProtection
      26
      Network Location
      cs23Label=NetworkLocation
      27
      AET
      cs24Label=AET
      28
      DHCP
      cs25Label=DHCP
      29
      Wired or Wireless
      cs26Label=WireOfWireless
      30
      SMB
      cs27Label=SMB
      31
      Switch Port
      cs28Label=SwitchPort
      32
      Switch Name
      cs29Label=SwitchName
      33
      Switch IP Address
      cs30Label=SwitchIp
      34
      Services
      cs31Label=Services
      35
      Server
      cs32Label=IsServer
      36
      NAC Profile
      cs33Label=NAC_Profile
      37
      NAC Profile Source
      cs34Label=NAC_ProfileSource
      38
      Access Point IP Address
      cs35Label=AccessPointIp
      39
      Access Point Name
      cs36Label=AccessPointName
      40
      SSID
      cs37Label=SSID
      41
      Authentication Method
      cs38Label=AuthMethod
      42
      Encryption Cipher
      cs39Label=EncryptionCipher
      43
      AD Username
      cs40Label=AD_Username
      44
      AD Domain
      cs41Label=AD_Domain
      45
      Applications
      cs42Label=Applications
      46
      Tags
      cs43Label=Tags
      47
      OS Combined
      cs44Label=os_combined
      IoT Security supplies Cortex XSOAR with device attributes, and XSOAR converts them into Common Event Format (CEF) before sending them to the SIEM server.
      Example of the device attributes for an Apple iPad in CEF:
      "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|asset|Asset Identification|1|dvc=10.1.1.39 dvcmac=cc:d2:81:33:bd:6a dvchost=iPad cs1Label=Profile cs1=iPad cs2Label=Category cs2=Smartphone or Tablet cs3Label=Type cs3=Non_IoT cs4Label=Vendor cs4=Apple Inc. cs5Label=Model cs5=iPad11,1 cs6Label=Vlan cs6=330 cs7Label=Site cs7=test-1117-04 cs8Label=R5iskScore cs8=20 cs9Label=RiskLevel cs9=Low cs10Label=Subnet cs10=10.1.1.0/24 cs15Label=FirstSeenDate cs15=2020-04-07T22:04:20.000Z cs16Label=ConfidenceScore cs16=95 cs17Label=OsGroup cs17=iOS cs22Label=EndpointProtection cs22=not_protected cs25Label=DHCP cs25=Yes cs26Label=WireOrWireless cs26=wireless cs42Label=Applications cs42=Zoom,iCloud,iTunes cs44Label=os_combined cs44=iOS"
      Example of an alert about an outdated version of Chrome:
      "CEF:0|PaloAltoNetworks|PANWIOT|1.0|PaloAltoNetworks Alert:policy_alert|Outdated Chrome version used by IoT device|2|dvcmac=14:91:38:b5:22:18 src=10.1.20.14 shost=unknown dhost=UNKNOWN URL fileId=0oakC30 fileType=alert rt=2020-12-30T23:07:24.000Z deviceCustomDate1=1609369890526 cs1Label=Description cs1=The usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks. cs2Label=Values cs2=[{'label': 'user agent', 'value': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36'}]"
      Example of a vulnerability test:
      "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|vulnerability|Vulnerability Test - Medium|1|dvc=10.1.3.54 dvcmac=64:16:7f:4c:d1:53 dvchost=Polycom_64167f4cd153 cs1Label=Profile cs1=Polycom Video Conferencing Device cs2Label=Category cs2=Video Audio Conference cs1Labe3=Profile cs3=Office cs4Label=Vendor cs4=Polycom cs5Label=Model cs5=Trio8800 cs8Label=RiskScore cs8=26 cs9Label=RiskLevel cs9=Low cs11Label=vulnerabilityName cs11=Vulnerability Test - Medium cs12Label=DetectionDate cs12=2020-12-23T23:59:59.000Z cs17Label=OsGroup cs17=Embedded cs19Label=OsSupport cs19=Embedded"
    2. Note the IP address of the SIEM server and the port number on which it listens for syslog messages.
      You will need this information when configuring the SIEM instance in Cortex XSOAR.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.