Set up SIEM for Integration

Set up the SIEM server for integration with IoT Security through Cortex XSOAR.
  1. Configure the SIEM server to accept the following device attributes from IoT Security.
    The field names in the first three rows are predefined, standard names. The field names in the remaining rows must be defined for IoT Security device attributes.
    Device Attribute (IoT Security)
    SIEM Field Name
    1
    IP Address
    dvc
    2
    MAC Address
    dvcmac
    3
    Hostname
    dvchost
    4
    Profile
    cs1Label=Profile
    5
    Category
    cs2Label=Category
    6
    Profile Type
    cs3Label=Profile
    7
    Vendor
    cs4Label=Vendor
    8
    Model
    cs5Label=Model
    9
    VLAN ID
    cs6Label=Vlan
    10
    Site
    cs7Label=Site
    11
    Risk Score
    cs8Label=RiskScore
    12
    Risk Level
    cs9Label=RiskLevel
    13
    Subnet
    cs10Label=Subnet
    14
    Number of Critical Alerts
    cs11Label=NumCriticalAlerts
    15
    Number of Warning Alerts
    cs12Label=NumWarningAlerts
    16
    Number of Caution Alerts
    cs13Label=NumCautionAlerts
    17
    Number of Info Alerts
    cs14Label=NumInfoAlerts
    18
    First Seen Date
    cs15Label=FirstSeenDate
    19
    Confidence Score
    cs16Label=ConfidenceScore
    20
    OS Group
    cs17Label=OsGroup
    21
    OS/Firmware Version
    cs18Label=OsFirmwareVersion
    22
    OS Support
    cs19Label=OsSupport
    23
    OS End of Support
    cs20Label=OsEndOfSupport
    24
    Serial Number
    cs21Label=SerialNumber
    25
    Endpoint Protection
    cs22Label=EndpointProtection
    26
    Network Location
    cs23Label=NetworkLocation
    27
    AET
    cs24Label=AET
    28
    DHCP
    cs25Label=DHCP
    29
    Wired or Wireless
    cs26Label=WireOfWireless
    30
    SMB
    cs27Label=SMB
    31
    Switch Port
    cs28Label=SwitchPort
    32
    Switch Name
    cs29Label=SwitchName
    33
    Switch IP Address
    cs30Label=SwitchIp
    34
    Services
    cs31Label=Services
    35
    Server
    cs32Label=IsServer
    36
    NAC Profile
    cs33Label=NAC_Profile
    37
    NAC Profile Source
    cs34Label=NAC_ProfileSource
    38
    Access Point IP Address
    cs35Label=AccessPointIp
    39
    Access Point Name
    cs36Label=AccessPointName
    40
    SSID
    cs37Label=SSID
    41
    Authentication Method
    cs38Label=AuthMethod
    42
    Encryption Cipher
    cs39Label=EncryptionCipher
    43
    AD Username
    cs40Label=AD_Username
    44
    AD Domain
    cs41Label=AD_Domain
    45
    Applications
    cs42Label=Applications
    46
    Tags
    cs43Label=Tags
    47
    OS Combined
    cs44Label=os_combined
    IoT Security supplies Cortex XSOAR with device attributes, and XSOAR converts them into Common Event Format (CEF) before sending them to the SIEM server.
    Example of the device attributes for an Apple iPad in CEF:
    "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|asset|Asset Identification|1|dvc=10.1.1.39 dvcmac=cc:d2:81:33:bd:6a dvchost=iPad cs1Label=Profile cs1=iPad cs2Label=Category cs2=Smartphone or Tablet cs3Label=Type cs3=Non_IoT cs4Label=Vendor cs4=Apple Inc. cs5Label=Model cs5=iPad11,1 cs6Label=Vlan cs6=330 cs7Label=Site cs7=test-1117-04 cs8Label=R5iskScore cs8=20 cs9Label=RiskLevel cs9=Low cs10Label=Subnet cs10=10.1.1.0/24 cs15Label=FirstSeenDate cs15=2020-04-07T22:04:20.000Z cs16Label=ConfidenceScore cs16=95 cs17Label=OsGroup cs17=iOS cs22Label=EndpointProtection cs22=not_protected cs25Label=DHCP cs25=Yes cs26Label=WireOrWireless cs26=wireless cs42Label=Applications cs42=Zoom,iCloud,iTunes cs44Label=os_combined cs44=iOS"
    Example of an alert about an outdated version of Chrome:
    "CEF:0|PaloAltoNetworks|PANWIOT|1.0|PaloAltoNetworks Alert:policy_alert|Outdated Chrome version used by IoT device|2|dvcmac=14:91:38:b5:22:18 src=10.1.20.14 shost=unknown dhost=UNKNOWN URL fileId=0oakC30 fileType=alert rt=2020-12-30T23:07:24.000Z deviceCustomDate1=1609369890526 cs1Label=Description cs1=The usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks. cs2Label=Values cs2=[{'label': 'user agent', 'value': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36'}]"
    Example of a vulnerability test:
    "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|vulnerability|Vulnerability Test - Medium|1|dvc=10.1.3.54 dvcmac=64:16:7f:4c:d1:53 dvchost=Polycom_64167f4cd153 cs1Label=Profile cs1=Polycom Video Conferencing Device cs2Label=Category cs2=Video Audio Conference cs1Labe3=Profile cs3=Office cs4Label=Vendor cs4=Polycom cs5Label=Model cs5=Trio8800 cs8Label=RiskScore cs8=26 cs9Label=RiskLevel cs9=Low cs11Label=vulnerabilityName cs11=Vulnerability Test - Medium cs12Label=DetectionDate cs12=2020-12-23T23:59:59.000Z cs17Label=OsGroup cs17=Embedded cs19Label=OsSupport cs19=Embedded"
  2. Note the IP address of the SIEM server and the port number on which it listens for syslog messages.
    You will need this information when configuring the SIEM instance in Cortex XSOAR.

Recommended For You