PLAYBOOKS A playbook is used to perform a series of actions among the available ones, preserving the state and processing the result on each subsequent action. Starting from version 5.4.1, playbooks can be used in combination with list feeds and to retrieve logs from any external API. To associate a playbook with a list feed, […]
Syslog configuration on Cisco devices This article explain how to configure Cisco devices to send log to SGBox using syslog protocol. All the following command has been taken from this website: https://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3 Log in to your device using a terminal link program (eg. Putty) and run the following command: Cisco Switches Console> (enable) set logging […]
Create a Dashboard Dashboards are used to display important items to the administrator as soon as you have logged in to SGBox. They can be configured differently so that each user puts information on his dashboard that is relevant to him/her. To create a new dashboard, connect to the web interface of SGBox. SGBox > […]
Configure Threat Intelligence Queries This article explain how to create a Threat Intelligence Query, that allows you to obtain simply the process of an Events Query to search a value in the list and take an action. In this way, queries can be used like LCE rules or sensors. Can be scheduled to run every minute […]
Events Queries as a Sensor In version 5.3.0 we introduce the Events Queries, the new mechanism to search events and produce alerts. (see this section).In this article we explain how to replace a sensor with an events query, in order to have more flexibility and use less SGBox resources. Requirements: SGBox version 5.3.0 Pattern must […]
Syslog configuration on Kaspersky This article explain how to configure Kaspersky to send log to SGBox using CEF protocol. Requirements SGBox 5.2.2 Valid Kaspersky license for export CEF/LEEF logs Click here. Log in to your Kaspersky Security Center console, from Administration Server select Events. Select Configure notification and event export and select the Siem configuration […]
Access to remote SGBox This feature is used when a customer has his own SGBox on premise and a service provider wants monitor customer’s events and incidents in order to alert him. This feature is used when a customer doesn’t want send logs out of his company. Requirements SGBox 5.0.3 or higher. First of all […]
How to configure and run AWA – Advanced Windows Audit AWA is an SGBox feature that leverage on the Microsoft Sysmon free Tool to increase the visibility of your Windows environment. AWA will help to detect malicious activity and promote better understanding of the in-deep aspect of Windows machines, by tracking many events and detailed […]
Before you begin If you started with SGBox from version 5.3.0 or above and/or if you have never installed the old SGBox Windows packages Windows package Base and Windows package Advanced, you don’t need to cleanup anything; just follow the standard installation steps. However, if you’re an old SGBox customer, or if you’ve installed one […]