Client Configuration – SGBox Next Generation SIEM & SOAR

Cato Network – SGBox SIEM Integration Guide

SGBox — Mon, 07 Apr 2025 08:53:36 +0000

Cato Network - SGBox SIEM Integration Guide

This Guide explains how to configure SGBox to make API calls to Cato Network with the purpose of collecting events in SGBox SIEM related to Network and IDS/IPS activities managed by CATO.

To complete the tasks outlined in this guide, you’ll need the following:

Create an API key and obtain your Account ID from Cato Networks.
Configure SGBox Playbooks for Cato Network

Overview of Cato API Keys

The API Keys page lets you generate API keys in the Cato Management Application that are used to authenticate to the Cato API server. Enter the API key for an API client or for scripts to run API calls for authentication to Cato.

Cato supports two types of API calls:

View permissions – Perform read-only API calls to retrieve data for your account
Edit permissions – Perform write API calls to make changes to your account

Note: SGBox uses eventsFeed API to ingest event data, so it is required to make sure to select Enable integration with Cato events in the Resources > Event Integrations page.

Generating an API Key

In the navigation menu, click Account > API Keys.
Click New. The Create API Key panel open.
Enter a Key Name.

Select option View in the API Permission for this key.
(Optional) Select a date that the API key Expires at.
In Allow access from IPs, select Specific IP list, and define the IP addresses that are allowed to use this API key, including the SGBox IP Address.
- The default setting is to allow this API key for Any IP address.
Click Apply. The API key is added and a popup window containing the new API key is displayed.
Click (Copy) and copy the API Key that is generated by the Cato Management Application and save it to a secure location.
- Once you close this window, you can’t access the value for the API key.
Click OK to close the pop-up window.

Obtain your Account ID from Cato Networks

Account ID Location:

The Account ID is found within the Cato Management Application. Specifically by navigating to Account > Account Info.
Also it is shown within the URL of the Cato account when logged in.
- For example, if your Account ID is “1234” then the URL should look like: https://sgbox.catonetworks.com/#!/1234/topology

Configure SGBox Playbooks for Cato Networks

Add Custom Host

You must define a Host in SGBox to make sure that the logs collected from CATO will be written into the SIEM, to achieve or analyze them.

Go to SCM > Network > Host list
Click the button ➕ New Host
Insert “CatoNetwork” in the Host field and Save the new host

Cato Network Package Installation

It is also necessary to install a Cato network package in SGBox to deploy on the SIEM configuration used to obtain or analyze CATO events.

Go to SCM > Applications > Packages and download the package named “Cato Network” by click the button Install
During the Installation of the package in the field Select the hosts the package will be associated with choose “CatoNetwork” previously defined in the Host list.

Click Install to finish the installation

Cato Network PB Configurations

Go to SCM > PB > Playbook and edit [Cato] Network Get RawLogs
Edit node called [SET] Credentials Parameters and insert API key and Account ID obtained from CATO, save the changes on node by click Save button.

Edit node called [WRITE] RawLog and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes on node by click Save button.

To save all changes and exit the [Cato] Network Get RawLogs playbook, click the Save button.

Schedule the [Cato] Network Get RawLogs PB by clicking the button with the clock icon 🕓 , set an appropriate time interval (not less than 5 minutes), save the change, to run Playbook, click the Execute button and choose Background run.

If the API connection between Cato Network and SGBox is working, a Green 🟢 icon will appear on the Status column and in the Host list for CatoNetwork hosts on the Last Log column will start showing the timestamp of the last data received from CATO in SGBox.

Notes, to check the availability of data collected by SGBox you can also refer to the Historical search page: https://www.sgbox.eu/en/knowledge-base/historical-search/

In case the execution of PB gives an error, a Red icon 🔴 will be shown, In this case the advice is to better check the configuration part to make sure that there are no errors in the input of the parameters needed for the API connection, or, In case of further problems you can open a ticket to SGBox Support via ticketing portal: https://sgboxportal.sgbox.it/portal/en/signin

Analyzing collected data

Go to LM > Configuration > Mapping > edit mapping called [Cato] Network and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes by click OK button, Confirm.

In this way, SGBox will begin to analyze the events it has collected, which will be searchable from the SGBox analysis pages (Class/Pattern analysis, Custom Report List, Dashboard).

SIEM solutions integration with Apex Central

SGBox — Mon, 10 Mar 2025 15:26:52 +0000

Syslog Configuration on Apex

Configure Syslog Settings For Apex Central On-premise

Configure Syslog Settings Apex SaaS

Configure Syslog Settings For Apex Central On-premise

In order to send logs to SGBox you need to modify first you syslog settings:

Go to Detections > Notifications > Notification Method Settings. The Notification Method Settings screen will appear.
In the Syslog Settings section, specify the following:
- Server IP address: Type the IPv6 or IPv4 address of the syslog server
- Port: The port number of the syslog server
- Facility: Select the facility code
Click Save

Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.

Enable Syslog now Syslog Forwarding:

NOTE:

Apex Central starts forwarding logs to the configured syslog server.
To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

Configure Syslog Settings Apex SaaS

Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.

Log in to Apex Central console using an Administrator account.
Go to Administration → Settings → Syslog Settings. The Syslog Settings screen appears.
Select the Enable syslog forwarding check box.
Configure the following settings for the server that receives the forwarded syslogs:
- Server address: FQDN or IP address of the receiving Syslog or SIEM server.
- Port: Syslog server port number. For UDP, the IANA standard port number is 514. For TLS, it’s usually port 6514.
- Protocol: Select TCP, UDP, or SSL/TLS as the method of communication with the syslog server
- NOTE: For best security practice, upload CA certificate that issued receiver’s SSL certificate to enable SSL certificate validation. If the receiver SSL certificate is a self-sign certificate, it must contains Subject and Subject Alternative Name, the CN Name and DNS Name must contain the Receiver host FQDN or IP address.Apex Central only supports CA certificates in X.509 format with .DER or .PEM encoding
Select the log Format:
- CEF: Uses the standard Common Event Format (CEF) for log messages
Configure the Frequency for when Apex Central forwards the logs.
Select the log type(s) to forward:
- Select a log category from the Log type dropdown list:
  - Security log
  - Product information
- Select the check box for the log(s) you want to forward. Apex Central displays the total number of selected log types next to the Log type dropdown list.
- (Optional) Select another log category from Log type dropdown list to select additional logs types to forward.
Click Test Connection to test the server connection. The syslog server connection status will appear at the top of the screen.
Click Save.

NOTE:

Apex Central starts forwarding logs to the configured syslog server.
To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

 If SSL/TLS is selected, by default Apex Central accepts receiver's SSL certificate without validation

For best security practice, upload CA certificate that issued receiver’s SSL certificate to enable SSL certificate validation.
If the receiver SSL certificate is a self-sign certificate, it must contains Subject and Subject Alternative Name, the CN Name and DNS Name must contain the Receiver host FQDN or IP address.
Apex Central only supports CA certificates in X.509 format with .DER or .PEM encoding

For more information

Syslog configuration on Sangfor

SGBox — Mon, 10 Mar 2025 15:04:43 +0000

Syslog configuration on Sangfor

Cyber Command

Endpoint Secure

Cyber Command

Endpoint Secure

Syslog configuration on ESET

SGBox — Mon, 24 Feb 2025 09:12:05 +0000

Syslog configuration on ESET

Following the steps to send logs from ESET (on-premise and Cloud) console to SGBox.

Syslog server Configuration On Premise

Syslog server Configuration On Cloud

Syslog server Configuration On Premise

Syslog server Configuration On Cloud

For more information visit these links:

Syslog configuration on Cortex

SGBox — Fri, 21 Feb 2025 15:11:36 +0000

Syslog configuration on Cortex XDR

Select Settings → Configurations → Integrations → External Applications.
In Syslog Servers, click + New Server.
Define the following parameters:
- Name: for the server profile
- Destination: IP address or fully qualified domain name (FQDN) of SGBox.
- port: number on which to send syslog messages.
- facility: Select one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424
- Protocol: method of communication with the syslog receiver.
  - TCP: No validation is made on the connection with the syslog receiver. However, if an error occurred with the domain used to make the connection, the Test connection will fail.
  - UDP: No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.
  - TCP + SSL: Cortex XDR validates the syslog receiver certificate and uses the certificate signature and public key to encrypt the data sent over the connection.
- Certificate: The communication between Cortex XDR and the syslog destination can use TLS. In this case, upon connection, Cortex XDR validates that the syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the Root and Intermediate certificate if you receive a certificate error when using a public certificate. If your syslog receiver uses a self-signed CA, upload your self-signed syslog receiver CA. If you only use a trusted root CA leave the certificate field empty.
  - Note: Up to TLS 1.3 is supported. – Make sure the self-signed CA includes your public key.
  - You can ignore certificate errors. For security reasons, this is not recommended. If you choose this option, logs will be forwarded even if the certificate contains errors.
Test the parameters to ensure a valid connection, and click Create when ready

Syslog configuration on Cisco WLC

SGBox — Thu, 20 Feb 2025 09:18:20 +0000

Syslog configuration on WLC ( GUI )

Go to Management > Logs > Config. The Syslog Configuration (GUI) age appears:
Enter the Syslog Server IP Address and click Add. You can add up to three syslog servers to the controller. The list of syslog servers that have already been added to the controller appears under this text box. If you want to remove a syslog server from the controller, click Remove to the right of the desired server.
To set the Syslog Level (severity) for filtering syslog messages to the syslog servers, choose one of the next options from the Syslog Level drop-down list:
- Emergencies= Severity level 0
- Alerts= Severity level 1 (default value)
- Critical= Severity level 2
- Errors= Severity level 3
- Warnings= Severity level 4
- Notifications= Severity level 5
- Informational= Severity level 6
- Debugging= Severity level 7
  - NOTE: If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Notifications (severity level 5), only those messages whose severity is betwen 0 and 5 are sent to the syslog servers.
  - NOTE: If you have enabled logging of Debugging messages to the logging buffer, some messages from application debug could be listed in message log with severity that is more than the level set. For example, if you execute the debug client mac-addr command, the client event log could be listed in message log even though the message severity level is set to Errors.
To set the Syslog Facility for outgoing syslog messages to the syslog servers, choose one of these options from the Syslog Facility drop-down list:
- Kernel= Facility level 0
- User Process= Facility level 1
- Mail= Facility level 2
- System Daemons= Facility level 3
- Authorization= Facility level 4
- Syslog = Facility level 5 (default value)
- Line Printer= Facility level 6
- USENET= Facility level 7
- Unix-to-Unix Copy= Facility level 8
- Cron= Facility level 9
- FTP Daemon= Facility level 11
- System Use 1= Facility level 12
- System Use 2= Facility level 13
- System Use 3= Facility level 14
- System Use 4= Facility level 15
- Local Use 0= Facility level 16
- Local Use 2= Facility level 17
- Local Use 3= Facility level 18
- Local Use 4= Facility level 19
- Local Use 5= Facility level 20
- Local Use 5= Facility level 21
- Local Use 5= Facility level 22
- Local Use 5 = Facility level 23
  - NOTE: For example, selecting Kernel makes only kernel related messages to be sent. Authorization, makes only AAA related messages to be sent, and so on.
Click Apply.

Configuring Syslog on WLC ( CLI )

Enable system logging and set the IP address of the syslog server to which to send the syslog messages by entering this command:
- (Cisco Controller) >config logging syslog host server_IP_address
To remove a syslog server from the controller by entering this command:
- (Cisco Controller) >config logging syslog host server_IP_address delete
Set the severity level for filtering syslog messages to the syslog server by entering this command:
- (Cisco Controller) >config logging syslog level severity_level

Syslog configuration on QNAP

SGBox — Wed, 12 Feb 2025 13:38:08 +0000

Syslog configuration on QNAP

Here the steps to send logs to SGBox.

Log in to QuLog Center.
Go to QuLog Service > Log Sender > Send to Syslog Server.
Enable Send logs to remote syslog server.
Click on Add destinatinatio IP address
- Enter SGBox IP on Destination IP
- Enter 514 as Port
- Select UDP as Transfer protocol
- Destination IPPut Event & Access Log on Log type
- Format ( you can click send a test message to test the connection

Click on apply

Syslog configuration on Ubiquiti

SGBox — Tue, 11 Feb 2025 15:28:20 +0000

Syslog configuration on Ubiquiti

These instructions assume:

The date, time and time zone are correctly set on the device.
You have administration access to the UniFi controller web interface.

Configure syslog:

Log in to the UniFi Controller’s web interface.
Click Settings (the gear icon) in the bottom left corner.
Under the Site heading, navigate to the Remote Logging section.
Select the checkbox beside Enable remote syslog server. Leave the Enable debug logging box unchecked.
Enter the SGBox IP address.
Enter 514 in the Port field.

Click Apply changes.

For more information visit

Syslog configuration on Sentinel

SGBox — Fri, 07 Feb 2025 14:49:56 +0000

Configure Sentinel to send logs to SGBox

Open the SentinelOne Admin Console. Configure SentinelOne to send logs to your Syslog server.

Select your site.
In the left side menu, click the slider icon [⊶] to open the Settings menu.
Open the INTEGRATIONS tab, and fill in the details: ( 3.1 ): Under Types, select SYSLOG ( 3.2 ): Toggle the button to enable SYSLOG: ( 3.3 ): Host – Enter your public SYSLOG server IP address and port. ( 3.4 ): Formatting – Select CEF. ( 3.5 ): Save your changes.

If TLS is selected you will need to upload certificates.

Syslog configuration on ForcePoint

SGBox — Fri, 07 Feb 2025 09:21:07 +0000

ForcePoint

To send logs to SGBox:

Toggle the Enable SIEM logging switch to ON.

Enter the IP address or hostname and communication Port for your SGbox server.
Select a Transport protocol (TCP or UDP).
Configure which logs to send by selecting one or more Threat levels. By default, malicious and suspicious incident logs are forwarded.
Select an SIEM format to use (the default is syslog/CEF).
Click Apply to save your changes.

For further information visit this link: https://www.websense.com/content/support/library/riskvision/v21/system_mgmt/system_logging.aspx