Installation and Configuration Requirements To execeute correctly the Agent, the following software is required: .NET Framework 4.0 Internet Explorer dll framework Outgoing open port 443 Antivirus Consideration We reported that some antivirus can interfere with the normal operation of the Agent (We have especially reported many cases with Sophos). Please be sure to insert an […]
On-Premise The SGBox appliance must be able to communicate via HTTPS with the following address: SGBox – Piattaforma Next Generation SIEM & SOAR The connection is required to access updates (available in the applications section of the SCM module). The appliance/collector operating system also uses HTTP/HTTPS protocols to access Ubuntu repositories (*.ubuntu.com). The appliance syslog […]
O365 Pre-Requirements To be able to download the logs from O365 tenant is necessary to: Generate the appropriate O365 Credentials: tenant, client_id, client_secret . You can check the appropriate Microsoft documentation Enable the correct permission on the O365 tenant, you can consult the appropriate Microsoft documentation Be sure that the SGBox Appliance can communicate with […]
Log decryption test This article explain where encrypted logs are stored in SGBox and how to perform some decryption test. First of all you need to know that after SGBox receives the logs it store the them in the Online Database in order to allows to do some searchs with Historical Search tool (LM > […]
Syslog forwarding from sgbox to another server This article explain how to forward logs/events received from SGBox to another server using syslog protocol. First off all you need to download the “SGBox syslog forwarder” application or ask support via ticket to unlock it. Remember that this application reads data from internal repository and forwards log, […]
👣 Steps This table will explain the very first main steps. It must be followed in order. You can use also the “done” temporary column to check the passage done. # Context Passage Link Done 1️⃣ All Registration to Ticket Portal to access Download Appliance and Documentation 🔗 Registration and Download 2️⃣ All Start wizard […]
On linux environment is not necessary to install a specific agent to send log to SGBox. The syslog protocol will be used. ifup eth0 ip a add 192.168.1.200/24 dev eth0 ip route add default via 192.168.1.254 If not already present, install rsyslog packet. zypper refresh zypper update zypper install vim zypper install rsyslog systemctl start […]
Below there is the principal methods to send data to the Appliance or Collector Supported System Method Link ✔ Windows (.NET 4.0+) Windows Agent Windows Agent Guide ✔ (Recommended) Any system that support syslog protocol RFC5424 / RFC3164 via UDP/TCP Syslog / rSyslog Syslog configuration example ✔ Any Unix system with installed rSyslog rSyslog read […]
Basic Authentication Some application requires basic authentication to retrieve information. curl –user “username:password” https://app.website.com/api… Username and password should be pass in SGBox Playbook in the following way: Encode your username/password in base64. In our case will be: dXNlcm5hbWU6cGFzc3dvcmQ= Create a new Authorization header with value: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
In /etc/ryslog.d/ add a file with priority like 60-myfileconfig.conf , this will be read after the main 50-default.conf file. In this example, to read a Desktop log file: $ModLoad imfile #Load the imfile input module $InputFilePollInterval 2 $InputFileName /home/user/Desktop/events.log $InputFileTag file-access: $InputFileStateFile stat-file-access $InputFileSeverity Info $InputRunFileMonitor $template file_log, ” %msg% ” if $programname == ‘file-access’ […]