Knowledge Base – SGBox Next Generation SIEM & SOAR

Custom Report

SGBox — Fri, 18 Apr 2025 14:16:16 +0000

Custom reports are used to filter search results and extract information from different classes.
To create a Custom report go to LM > Custom Report, this page open the list of existing reports but you can also create a new one.

Requirements:

SGBox version 6.0.0

Main Page

The main page displays information about the Custom Reports, including their owners and associated tags.

Action box
- Select All: Selects all the custom reports in the table.Multiple Editing: Opens a dialog that allows the multiple editing of selected custom reports.Remove: Opens a dialog that allows the removal of custom reports.
Filter box:
- Input Field: Used to filter the entire table. The filter value is compared with all the cells.Pin Icon: Used to pin the filter after a hypothetical reload.
Table Actions box:
- Plus Icon: Opens a new page for adding a custom report..CSV: Downloads the table in CSV format..XLS: Downloads the table in XLS format.Edit Icon: Opens a new page for editing a custom report.
Edit icon:
- It opens a new page that allow the Custom Report Editin

Create New Custom Report

Click on the ” + “button to create a new Custom Report. Once created you can set different options:

Time Interval: filters the selected Time Range. (SGBox has predefined intervals such as working hours, Working hours exluding launch time, etc… ) The icon next to the input redirects the user to the Intervals page.
Actions box:
Export CVS: SGBox performs the research and saves the results in a CSV file.Save
Translate Parameters: this switch must be turned on if you want to display your parameter values as aliases.
Parameters Configuration: The parameters configuration offers different searching modes for filtering results and providing them to the RS Module. Each parameter can be selected or deselected to be shown or hidden in the results
Filter Type: Although the default value for the filter type is regex, the search value could be useful when you need to filter the results with a path. Case sensitivity applies to both types.
- When applying a filter in conjunctive mode (AND), only results that satisfy all the filters are returned.
- Conversely, when using a filter in disjunctive mode (OR), results that satisfy at least one of the filters are returned.

Results appear after clicking on the Search button and it’s possible to refine the research by clicking on the Pin icon to show the configuration. The Custom Report page provides two different views and you can alternate between them using the icons (1).

You can share custom report with more users. Each user owns the custom report, however, you can share it with other users so that by logging in they can view it

LCE Rules

SGBox — Tue, 15 Apr 2025 08:44:17 +0000

LCE → Rules

📝 Add and modify new rule

This page allows you to create and edit a rule.

A correlation rule is used to alert the admin when an event, or a series of events, occur in a specified time range.

✔️ Requirements:

A mail server must be configured. Check the Configure a Mail server section for setup instructions.
The pattern must belong to a specific class and be assigned to hosts.

Using the SGBox web interface: SGBox → LCE → Rules

The plus icon opens the rule creation page.
The play icon redirects the user to the edit page with a test view.
The clone icon opens a modal that allows the user to fill in the name and description fields.
The edit icon redirects the user to the edit page for modifications.
The trash icon highlights the row in red and enables the delete button (6).

🛠️ Rule Creation Interface

Left Section: Users can select one or more patterns to include in the rule. To choose a category, click on the category navigation button.
Right Section (Pattern/category Containers): Displays selected elements with their associated parameters. Categories show only common parameters among patterns.
Header Section: Defines time intervals and shows available actions triggered by the Rule Engine.
Bottom Section: Contains the test and save buttons.

Clicking on the show actions button opens a sidebar displaying the available actions.

🚀 Actions

✉️ Send Mail

Parameter	Description
recipient	Enter a list of valid email addresses separated by commas.
email subject	When triggered, an email with the specified subject will be sent to all recipients.

🗓️ Generate Event

Parameter	Description
host	The event will be registered using localhost or the host associated with the event.
class	The selected class will be linked to the generated event. You can create a new class if needed.
subfamily	The selected subfamily will be associated with the event. The rule inherits its score.
event	Specify the name and description of the event.
Parameters	Select up to 10 parameters to include in the event. Parameters from different patterns/categories cannot be duplicated.
Issue aggregation	Refers to the IM Module.

✍️ Generate Log

Parameter	Description
log line test	Creates a log entry in SGBox upon rule trigger. View logs via LM → Analysis → Historical Search.
Rule Pattern	Displays a dropdown with pattern parameters, allowing values to be assigned.

📋 Add To List

Parameter	Description
List	The selected pattern will be added to the list if not already present.
Parameters	The parameter to add to the selected list.

Execute Script

Parameter	Description
Log Line Text	Creates a log entry in SGBox when the rule is triggered. View logs via LM → Analysis → Historical Search.
Host	Specify the host (IP address or hostname) where the script is located.
User name	Provide the username for access.
Password	Provide the associated password.
Script Path	Specify the script’s location.
Script Arguments	Arguments passed to the script.
Rule patterns	Displays a dropdown with pattern parameters, allowing values to be assigned.

💻 Execute Application

Parameter	Description
Applications	The selected application will execute upon rule trigger.
Action	Defines the action the application will perform.
Application arguments	Arguments passed to the application.
Rule patterns	Displays a dropdown with pattern parameters, allowing values to be assigned.

📲 Call API

Parameter	Description
API Url	The URL of the API to call when the rule is triggered.
Data Fields	The selected parameter will be sent via GET request by default.
Use POST	If enabled, all parameters will be sent using a POST request in JSON format.

📌 Practical Example

This rule is designed to identify suspicious behavior where a failed login attempt to SGBox is immediately followed by a successful login and a user modification action. Such a sequence could indicate an unauthorized attempt to gain access and alter user credentials.

To make the detection more precise, the rule is configured to trigger only outside regular working hours by setting the time interval to Non-Working Hours. Additionally, it applies only if the access attempt is made by a specific user listed in a predefined group. The first pattern is restricted to localhost, meaning only login attempts on the local machine are considered relevant.

To ensure the integrity of the detection process, the rule verifies that all events originate from the same machine by enabling the Previous Host option. This prevents unrelated events from being linked together incorrectly. Furthermore, the Relative Column is used to maintain consistency in event parameters, ensuring that the entire sequence follows a logical flow before triggering an alert.

At this point, the rule must be saved. By clicking the Save button in the Bottom Section, a modal window will appear with the following fields:


Name	The name of the rule, which can be up to 255 characters long. This field is required.
Description	A description of the rule, which can be up to 255 characters long. This field is also required.
Score	The value inherited from the subfamily when the Generate Event action is set. Otherwise, it will default to 0.
Enable Rule	If set to true, the Rule Engine will analyze the event of this rule to determine when to trigger it.
Retention	Defines after how many days the rule’s history will be deleted (this value is displayed on the main page).
Timeout	This value specifies the number of seconds in which the event chain must occur.

After configuring these parameters, you can confirm the operation and save the rule.

After saving the rule, the next step is to set an action and notify the administrators when the rule is triggered. To do so, you will need to configure the “send mail” action and save the entire rule.

Once the action is set, it is important to enable the rule so that it can be considered by the Rule engine. Additionally, the retention value must be configured appropriately.

Here is an example of the email that the administrator will receive once the rule is triggered. The email includes the count of the times the rule has been triggered, as well as all relevant patterns and their details, providing the necessary information to ensure proper understanding of the event that occurred.

➕ Additional Actions:

Swap: Swaps the container with the next selected one.
Resize: Shrinks the container, displaying only the pattern name.
Delete: Removes the pattern from the rule.

🔎 Test View

The Test View provides a way to preview events that match the previously defined rule flow. You can access this view by clicking the Test button. In essence, when one or more triggers occur, this view allows you to verify the corresponding events.

The page is divided into two main sections:

Upper Section: Displays an intuitive chart that visually represents the event flow.
Bottom Section: Lists the events along with their parameter values.

Users can adjust the time range to refine their analysis. However, it is important to note that rules are a powerful tool—using an excessively wide time range may result in long processing times.

When filters are applied, they appear on the left side of the interface, as shown in the image below. Otherwise, the chart expands to occupy the full available space.

Clicking on an event in the chart automatically filters the table below to display relevant details.

N/A indicates that the pattern does not collect that specific parameter.
Please note: To ensure an accurate test, make sure that the latest changes have been saved before executing the test.

🔧 Operators

The various operators are explained below:

Operator	Description
Equals	Matches values that are exactly the same.
Differs	Matches values that are different.
Greater than	Matches values that are strictly greater than the specified value.
Lower than	Matches values that are strictly lower than the specified value.
Greater or equal	Matches values that are greater than or equal to the specified value.
Lower or equal	Matches values that are lower than or equal to the specified value.
Contains a substring	Matches values that include a specified substring.
Belongs to a set	Matches values that exist in a predefined set.
Does not belongs to a set	Matches values that do not exist in a predefined set.
Belongs to a network	Matches IPs that are within a specified network range.
Does not belongs to a network	Matches IPs that are outside a specified network range.
Belongs to a time range	Matches values that fall within a specific time range.
Does not belong to a time range	Matches values that fall outside a specific time range.
Belong to a set – regexp	Matches values that conform to a regular expression within a predefined set.
Does not belong to a set – regexp	Matches values that do not conform to a regular expression within a predefined set.
Belongs to a set – regexp (case insensitive)	Matches values (case insensitive) that conform to a regular expression within a predefined set.
Does not belong to a set – regexp (case insensitive)	Matches values (case insensitive) that do not conform to a regular expression within a predefined set.
Regular expression search	Matches values using a specified regular expression.
Regular expression search (case insensitive)	Matches values using a case-insensitive regular expression.
host:port corresponds to a vulnerable host:port	Matches hosts and ports that are identified as vulnerable.
host:port is associated with a known vulnerability	Matches hosts and ports linked to documented vulnerabilities.
This host has been tested with NVS module	Matches hosts that have been analyzed using the NVS module.
Host: port is down	Matches hosts or ports that are unreachable.
Host port is up	Matches hosts or ports that are active and reachable.
A value in left set belongs to a value in right set	Matches when at least one value from the left set is present in the right set.
This value has a reputation	Matches values that have a known reputation score.
Belong to a list	Matches values that exist in a predefined list.
Does not belong to a list	Matches values that do not exist in a predefined list.
Is longer than	Matches values that exceed a specified length.
is shorter than	Matches values that are below a specified length.
Belongs to a list (exact match)	Matches values that exactly match an entry in the list.
Matches with list	Matches values that have at least one common element with a predefined list.
Match with text	Matches values against a list of regular expressions.

6.0.7

SGBox — Thu, 10 Apr 2025 09:38:17 +0000

6.0.7

A new version of SGBox that improve features and performance has been released

SGBOX > SCM > Applications > SGBox Updates

Cato Network – SGBox SIEM Integration Guide

SGBox — Mon, 07 Apr 2025 08:53:36 +0000

Cato Network - SGBox SIEM Integration Guide

This Guide explains how to configure SGBox to make API calls to Cato Network with the purpose of collecting events in SGBox SIEM related to Network and IDS/IPS activities managed by CATO.

To complete the tasks outlined in this guide, you’ll need the following:

Create an API key and obtain your Account ID from Cato Networks.
Configure SGBox Playbooks for Cato Network

Overview of Cato API Keys

The API Keys page lets you generate API keys in the Cato Management Application that are used to authenticate to the Cato API server. Enter the API key for an API client or for scripts to run API calls for authentication to Cato.

Cato supports two types of API calls:

View permissions – Perform read-only API calls to retrieve data for your account
Edit permissions – Perform write API calls to make changes to your account

Note: SGBox uses eventsFeed API to ingest event data, so it is required to make sure to select Enable integration with Cato events in the Resources > Event Integrations page.

Generating an API Key

In the navigation menu, click Account > API Keys.
Click New. The Create API Key panel open.
Enter a Key Name.

Select option View in the API Permission for this key.
(Optional) Select a date that the API key Expires at.
In Allow access from IPs, select Specific IP list, and define the IP addresses that are allowed to use this API key, including the SGBox IP Address.
- The default setting is to allow this API key for Any IP address.
Click Apply. The API key is added and a popup window containing the new API key is displayed.
Click (Copy) and copy the API Key that is generated by the Cato Management Application and save it to a secure location.
- Once you close this window, you can’t access the value for the API key.
Click OK to close the pop-up window.

Obtain your Account ID from Cato Networks

Account ID Location:

The Account ID is found within the Cato Management Application. Specifically by navigating to Account > Account Info.
Also it is shown within the URL of the Cato account when logged in.
- For example, if your Account ID is “1234” then the URL should look like: https://sgbox.catonetworks.com/#!/1234/topology

Configure SGBox Playbooks for Cato Networks

Add Custom Host

You must define a Host in SGBox to make sure that the logs collected from CATO will be written into the SIEM, to achieve or analyze them.

Go to SCM > Network > Host list
Click the button ➕ New Host
Insert “CatoNetwork” in the Host field and Save the new host

Cato Network Package Installation

It is also necessary to install a Cato network package in SGBox to deploy on the SIEM configuration used to obtain or analyze CATO events.

Go to SCM > Applications > Packages and download the package named “Cato Network” by click the button Install
During the Installation of the package in the field Select the hosts the package will be associated with choose “CatoNetwork” previously defined in the Host list.

Click Install to finish the installation

Cato Network PB Configurations

Go to SCM > PB > Playbook and edit [Cato] Network Get RawLogs
Edit node called [SET] Credentials Parameters and insert API key and Account ID obtained from CATO, save the changes on node by click Save button.

Edit node called [WRITE] RawLog and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes on node by click Save button.

To save all changes and exit the [Cato] Network Get RawLogs playbook, click the Save button.

Schedule the [Cato] Network Get RawLogs PB by clicking the button with the clock icon 🕓 , set an appropriate time interval (not less than 5 minutes), save the change, to run Playbook, click the Execute button and choose Background run.

If the API connection between Cato Network and SGBox is working, a Green 🟢 icon will appear on the Status column and in the Host list for CatoNetwork hosts on the Last Log column will start showing the timestamp of the last data received from CATO in SGBox.

Notes, to check the availability of data collected by SGBox you can also refer to the Historical search page: https://www.sgbox.eu/en/knowledge-base/historical-search/

In case the execution of PB gives an error, a Red icon 🔴 will be shown, In this case the advice is to better check the configuration part to make sure that there are no errors in the input of the parameters needed for the API connection, or, In case of further problems you can open a ticket to SGBox Support via ticketing portal: https://sgboxportal.sgbox.it/portal/en/signin

Analyzing collected data

Go to LM > Configuration > Mapping > edit mapping called [Cato] Network and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes by click OK button, Confirm.

In this way, SGBox will begin to analyze the events it has collected, which will be searchable from the SGBox analysis pages (Class/Pattern analysis, Custom Report List, Dashboard).

The SGBox Collector (v6)

SGBox — Wed, 26 Mar 2025 14:02:25 +0000

Table of Contents

The collector is a virtual appliance based on the Linux operating system, and is responsible for performing certain tasks of SGBox, such as collecting logs from local data sources and sending them to SGBox, via HTTPS (port 443) by establishing an encrypted channel. In addition the collector offers caching capabilities if the communication between the collector and SGBox should interrupt during the sending of data from the sources.

Requirements:

A collector must be deployed in your virtual infrastructure.
- HDD 50 GB
- RAM 4 GB
- CPU 2 Core
- The ports utilized by collector can be seen here Network Requirements

Notes: minimum requirements given above indicates what the appliance image will take automatically when deploying in virtualization environment, the hardware resources should be resized according to the tasks the collector will have to perform, for example, If the collector is used to run vulnerability scan you need to increase the resources: We suggest to set the minimum to 4CPU and 8GB of RAM (preferred 8CPU and 16GB of RAM).

Collector network configuration

You can configure the Collector network configuration using the cli tool present on the collector. Connect via ssh (using a program like Putty, or, virtualization console) to Collector specifying the User and Password.

version 6

User: cli
Pass: changeme

Choose Network configuration

Select Configure Collector interfaces

This option allows you to configure all the parameters (IP, Gateway, DNS and Domain) by

following the wizard

Select the interface you want to configure.

Select static option from the menu

Configure all the parameters

Configure all mandatory parameters (IP, Gateway, DNS and Domain). Note: If you want to add more than one DNS, you must use the character “,” to distinguish the first DNS from the second, e.g. 1.2.3.254,8.8.8.8.

Click on Submit to finish the configuration and choose when to apply it.

Establishing a connection with SGBox

This article explains how to configure the communication between collector and SGBox. It’ll be used to download collector updates and to send logs received by the local devices to SGBox.

This communication is also useful to configure NVS checks made by the collector.

Requirements:

A collector must be deployed in your virtual infrastructure.
The configuration of the collector network must be finished.

Configure and register collector for SGBox Multi tenant

Connect via ssh (using a program like Putty, or, virtualization console) to Collector specifying the User and Password.

Tenant configuration

Choose Tenant configuration

Configure all the parameters by entering the SGBox IP address and Tenant UID.

Click on Submit to finish the configuration.

SGBox IP address: it depends on where SGBox is located you can insert a hostname, public IP or private IP.

TenantUID: is the code that identifies the tenant. You can find it in SGMaster on section SCM > Multi tenant > Manager then select TENANTS and identify the code in column ID

Register the collector

Choose Collector

Select Register collector

Enter Key Probe for Connection: the password you have configured during tenant creation activities.

If you can’t remember the password, you always have an option to reset it and get a new one from SGMaster on section SCM > Multi tenant > Manager and then click the “Reset” button under the Connection key column. After that follow the section on this page below to restart process.

SGBox Cloud

If your tenant is on SGBox Cloud, customers are asked to open a ticket to SGBox support via the ticket platform (https://sgboxportal.sgbox.it) by entering “collector registration for cloud tenant” in the subject of the ticket.

External Cloud

Contact the person/company who manages SGBox for more guidance on how to obtain the key to register the collector and connect it to your tenant.

Configure a collector for SGBox Single tenant

Connect via ssh (using a program like Putty, or, virtualization console) to Collector specifying the User and Password.

Choose Tenant configuration

Configure all the parameters by entering the SGBox IP address.

Note: Configuring the TenantUID field is not necessary so you can leave it blank.

Click on Submit to finish the configuration.

Go to back to main menu and select Configuration

Select Collector configuration editor

Change collector_legacy from 0 to 1

Click on Save to finish the configuration.

To Restart Process:

After configured, go on System’s option:

Go on Process Handling

go on Services Management

For example if we want to restart a service we proceed to click on:

We want in this case to restart sgbox-transfer so we click on our choice

Now we click on stop service and after on start service

Configure a collector as a probe

This section explains how to configure a collector as a probe in SGBox in order to launch a Vulnerability Scan check.

Requirements:

A collector must be deployed in your virtual infrastructure. (link)

The configuration of the collector network must be finished. (link)

Configure and register the collector (link)

Connect to the SGBox web interface inside the Tenant.

Go to SGBOX > SCM > Network > Probe

Click on ➕ Add New Probe button and specify:

Collector IP Address

Collector Name

Network or networks that belong to this collector

Custom Report – Detailed

SGBox — Fri, 21 Mar 2025 11:10:43 +0000

Custom Report - Detailed

In this section you can create report in PDF starting from Custom Report previously configured.
From RS > Report Catalog, select Custom Report – Detailed. Click on printer icon select timerange and custom report you want use.
The generated report will be shown and stored in RS > Report archive.

You can personalize the data shown in pie charts by selection the “categorized by” flag.

Historical Search

SGBox — Wed, 12 Mar 2025 14:01:56 +0000

Historical Search

This section is used to analyze logs coming from each data source. You can see them in: LM > Analysis > Historical Search.

Logs are stored in a database, when you need to search logs and you can use operator like “AND”, “OR” and “NOT” to filter the search results.
You can choose the host/asset from which you want to extract logs and set a time range. When “case sensitive” is active a check is made in the search bar of the characters, upper and lower case, that are entered.

Special characters (wildcards) can be used in requests like in the SQL language.
In particular, the character ‘%’ represents an arbitrary number of characters while the character ‘_’ represents a single character. For this reason the string “Beatrice” can be represented as “Bea%c_”

SIEM solutions integration with Apex Central

SGBox — Mon, 10 Mar 2025 15:26:52 +0000

Syslog Configuration on Apex

Configure Syslog Settings For Apex Central On-premise

Configure Syslog Settings Apex SaaS

Configure Syslog Settings For Apex Central On-premise

In order to send logs to SGBox you need to modify first you syslog settings:

Go to Detections > Notifications > Notification Method Settings. The Notification Method Settings screen will appear.
In the Syslog Settings section, specify the following:
- Server IP address: Type the IPv6 or IPv4 address of the syslog server
- Port: The port number of the syslog server
- Facility: Select the facility code
Click Save

Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.

Enable Syslog now Syslog Forwarding:

NOTE:

Apex Central starts forwarding logs to the configured syslog server.
To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

Configure Syslog Settings Apex SaaS

Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.

Log in to Apex Central console using an Administrator account.
Go to Administration → Settings → Syslog Settings. The Syslog Settings screen appears.
Select the Enable syslog forwarding check box.
Configure the following settings for the server that receives the forwarded syslogs:
- Server address: FQDN or IP address of the receiving Syslog or SIEM server.
- Port: Syslog server port number. For UDP, the IANA standard port number is 514. For TLS, it’s usually port 6514.
- Protocol: Select TCP, UDP, or SSL/TLS as the method of communication with the syslog server
- NOTE: For best security practice, upload CA certificate that issued receiver’s SSL certificate to enable SSL certificate validation. If the receiver SSL certificate is a self-sign certificate, it must contains Subject and Subject Alternative Name, the CN Name and DNS Name must contain the Receiver host FQDN or IP address.Apex Central only supports CA certificates in X.509 format with .DER or .PEM encoding
Select the log Format:
- CEF: Uses the standard Common Event Format (CEF) for log messages
Configure the Frequency for when Apex Central forwards the logs.
Select the log type(s) to forward:
- Select a log category from the Log type dropdown list:
  - Security log
  - Product information
- Select the check box for the log(s) you want to forward. Apex Central displays the total number of selected log types next to the Log type dropdown list.
- (Optional) Select another log category from Log type dropdown list to select additional logs types to forward.
Click Test Connection to test the server connection. The syslog server connection status will appear at the top of the screen.
Click Save.

NOTE:

Apex Central starts forwarding logs to the configured syslog server.
To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

 If SSL/TLS is selected, by default Apex Central accepts receiver's SSL certificate without validation

For best security practice, upload CA certificate that issued receiver’s SSL certificate to enable SSL certificate validation.
If the receiver SSL certificate is a self-sign certificate, it must contains Subject and Subject Alternative Name, the CN Name and DNS Name must contain the Receiver host FQDN or IP address.
Apex Central only supports CA certificates in X.509 format with .DER or .PEM encoding

For more information

Syslog configuration on Sangfor

SGBox — Mon, 10 Mar 2025 15:04:43 +0000

Syslog configuration on Sangfor

Cyber Command

Endpoint Secure

Cyber Command

Endpoint Secure

6.0.6

SGBox — Tue, 25 Feb 2025 10:49:57 +0000

6.0.6

A new version of SGBox that improve features and performance has been released