SCM – System Control Management – SGBox Next Generation SIEM & SOAR

Telegram App

SGBox — Tue, 18 Jun 2024 09:19:38 +0000

Configure SGBox to use Telgram API in LCE Module and send alert messages

This articles explain how to configure SGBox to interact with Telegram API in order to send alert messages when a specific event occur.

Requirements:

SGBox version 4.2.4 with the LM and LCE modules.
A Telegram BOT.

There are many tutorial about how to configure a Telegram BOT. We choose @BotFather for our example.
First you need to create your bot and obtain your TOKEN:

A token is something like: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1.
You need also a the chat_id, so: start and say “Hello” to your bot, than retrieve the chat id:

From your browser go to:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/getupdates

Find the ID in the response:

id: 124229696

Telegram App Installation

Install Telegram application: SCM > Applications

> Packages

find the “Telegram Alert”, in this case the package is already installed but the installation’s button is in the same place

After the dowmload we verify in PB

When PB is open search Tlegram alert in filter name

When we find Telegram_Alert we need to modify with the button on the right side

Telegram_Alert’s Playbook has this format

Afetr we need to create an Event/logs queries to connect with the Telegram_Alert’s Playbook, we have to go to LM > Analysis > Event/logs queries

Create new Queries with the blue button on the right

in the select we put the parameters that we are interested in seeing in the future message that will arrive on our Telegram.

On this example we write:

 $HOST as Host, $EVENT as Action, $PARAM:[TargetUserName] as details, $TIMESTAMP as Timestamp

Now set your “FROM” ( The class or classes )

Now i choose the event or events:

Important: we need to verify the proper functioning of our query, NB: before clicking the test button, chech the range time

Now press the button = ” Show Scheduling Options “

put the tick on the flag ” Run Playbook ” and choose our Telegram alert

back to the playbook section

we have to set our Telegram bot credential, to do it we can go on the second rectangle from the left and click on modify:

Name fileld: bot_id ( do not change ), ( we can find in the first part of our guide the credentials that need to be entered )

Value: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1

Name fileld: chat_id ( do not change ), ( we can find in the first part of our guide the credentials that need to be entered )

Value: 124229696

Also when we finisched to insert our credential, we can test all and save, close the window

go to format message

same passage as before click on the edit button, in the section text we write the telegrammessage that will come to us once we set :

Telegram Alert

Host: $1

Action: $2 

Details: $3

Timestamp: $4

the values refer to the query we made earlier, to add parameters in the text message click on plus or trash to delete

Save all with the button on the right “save”

Back to Playbook section, search Telegram_Alert and check the status of the playbook on the right side, if it’s green playbook will alert you whenever the event we have indicated will happen

If it’s all correctly, after the login telegram alert me that someone has done a LogonOK

Group panel – functionalities and usage

SGBox — Tue, 21 May 2024 09:40:17 +0000

The group panel allows you to manage the groups.

Main Page

The Main Page displays the name, the description and the various permissions of the profiles.

Actions box
- Select All: Selects all the profiles in the table.
- Multiple Editing: Opens a dialog for multiple editing of selected profiles.
- Remove: Opens a dialog for profiles removal.

Filter box
- Input field: Filters the entire table based on the entered value, which is compared with all the cells.
- Pin Icon: Pins the filter after a hypothetical reload.

Table Actions box:
- Plus icon: Opens a dialog to add a new profile
- .CSV: Downloads the table in CSV format.
- .XLS: Downloads the table in XLS format.

Edit icon: Opens a container for Profile Editing

Trash icon: Select the group for the Profile Removal

New Group

This dialog allow for adding a group. The user needs to enter the name (1) and choose at least one module which must be on . If desired, the user can insert the description (2) yet.

Name: it is the name of the group.

Description: It is the description of the group.

Pages Section: This section allows you to choose one or more modules to be associated to the group.

Edit Group

The operation is exactly the same as the New Group. You can change any field.
In order to apply the changes click on the Save button.

Multiple Editing

Multiple Editing allows you to modify the description and the associated permissions. It shows a “Used for” popover containing the associated groups as a reminder.
In order to apply the changes, click on the Save button.

Delete Groups

To delete multiple groups, first select one of the groups using the Remove icon (1), then press the select all button (2). Once you’ve selected one or more groups, the Remove button (3) will activate.

After clicking the remove button on the main page, a container will appear, allowing you to complete the deletion
It displays the selected groups as a reminder.
Click remove to apply the deletion.

Profile Panel – functionalities and usage

SGBox — Tue, 21 May 2024 07:35:47 +0000

The profile panel allows you to manage the profiles.

Main Page

The Main Page displays the name and the description of the profiles.

Actions box
- Select All: Selects all the profiles in the table.
- Multiple Editing: Opens a dialog for multiple editing of selected profiles.
- Remove: Opens a dialog for profiles removal.
Filter box
- Input field: Filters the entire table based on the entered value, which is compared with all the cells.
- Pin Icon: Pins the filter after a hypothetical reload.
Table Actions box:
- Plus icon: Opens a dialog to add a new profile
- .CSV: Downloads the table in CSV format.
- .XLS: Downloads the table in XLS format.
Edit icon: Opens a container for Profile Editing

New Profile

This dialog allow for adding a profile. The user needs to enter the name and choose at least one page . If desired, the user can insert the description yet.

Name: it is the name of the profile.
Description: It is the description of the profile.
Pages Section: This section allows you to choose one or more pages to be associated to the profile. You can use the switch (4) to enable all the pages of the level below.

You can select the pages by clicking on the page rows. If you want to create some spaces, you can click on the module, and their visibility will toggle.

Edit Profile

The operation is exactly the same as the New Profile. You can change any field.
In order to apply the changes click on the Save button.

Multiple Editing

Multiple Editing allows you to modify the description and the associated pages. It shows a “Used for” popover containing the associated profile as a reminder.
In order to apply the changes, click on the Save button.

Delete Profile

To delete multiple profiles, first select one of the profiles using the Remove icon (1), then press the select all button (2). Once you’ve selected one or more profiles, the Remove button (3) will activate.

After clicking the remove button on the main page, a container will appear, allowing you to complete the deletion
It displays the selected profiles as a reminder.
Click remove to apply the deletion.

Dashboard Management Panel – Functionalities and usage

SGBox — Fri, 10 May 2024 09:32:56 +0000

The dashboard panel allows you to manage the dashboards.

Main Page

The main page shows the dashboard information, their owners, the users associated, the timeout and their tags.

Actions box
- Select All: Select all the dashboards in the table.
- Multiple Editing: It will open a dialog that allows the multiple editing of selected dashboards.
- Remove: It will open a dialog that allow the tags removal.
Filter box
- Input field: It is used to filter the entire table. The filter value is compared with all the cells.
- Pin Icon: The icon is used to pin the filter after an hypotetical reload.
Table Actions box:
- Plus icon: It opens a dialog that allow the “Dashboard Added”
- .CSV: Downloads the table in CSV format.
- .XLS: Downloads the table in XLS format.
Edit icon: It will open a container that allow the Dashboard Editing

New Dashboard

This dialog allows the addition of a dashboard. The user has to enter the name, color, timeout and user(s). You can choose one or more tags to associate.

Name: It is the name of the dashboard
Description: It is the description of the dashboard
Timeout: It is a parameter used to specify the interval at which the dashboard data will be updated.
This section is used to associate the dashboard with the selected tags. You can click on the line to select the tags.
This section is used to associate the dashboard with one or more users. You can click on the line to select the users.
- Share: The dashboard will be available for the selected users.
- Copy: The selected users will have their own dashboard

Edit Dashboard

This container allows to the user to edit dashboard information, associations between tags and users. It is allowed the dashboard cloning.

Name: It is the name of the dashboard
Description: It is the description of the dashboard
Owner: It is the dashboard creator. It is not editable.
Timeout: It is a parameter used to specify the interval at which the dashboard data will be updated.
This section is used to associate the dashboard with the selected tags. You can click on the line to select the tags.
This section is used to associate the dashboard with one or more users. You can click on the line to select the users.
- Share: The dashboard will be available for the selected users.
- Copy: The selected users will have their own dashboard
Shared icon: This indicates that the dashboard is shared with emphasized users.

When you click on button group (1), this menu will appear, allowing you to choose the users to whom the dashboards will be cloned. If you want to return, click on ‘share‘.

Multiple Editing

This dialog allow the perform changes at once for multiple dashboard. The common information are description, timeout, tags and users. You can clone the dashboard for selected users.

Description: It is the description of the dashboard
Timeout: It is a parameter used to specify the interval at which the dashboard data will be updated.
Used For: this field reminds how many selected dashboards are associated to the element (in this case, tag)
This line displays the Remove icon, so you can delete all the associations with the tag.
This line does not display the Remove icon, so you can add the association dashboard-tag
This section is used to associate the dashboard with one or more users. You can click on the line to select the users.
- Share: The dashboard will be available for the selected users.
- Copy: The selected users will have their own dashboard

Delete Dashboards

To delete multiple dashboards, first select one of the dashboards using the Remove icon (1), then press the select all button (2). Once you’ve selected one or more dashboards, the Remove button (3) will activate.

After clicking the remove button on the main page, a container will appear, allowing you to complete the deletion.
It displays the selected dashboards as a reminder.
Click remove to apply the deletion.

Tag Panel – Functionalities and usage

SGBox — Mon, 29 Apr 2024 15:12:43 +0000

The tag panel allows you to associate a tag to various types of elements.

Document Index

- Main Page

Main Page

The main page displays the existing tags along with their colors and owners. The “Used for” field indicates the type of elements they are employed for.

1. Actions box
  - - Select All: Selects all the tags in the table.
  - - Multiple Editing: Opens a dialog for multiple editing of selected tags.
  - - Remove: Opens a dialog for tag removal.

1. Filter box
  - - Input field: Filters the entire table based on the entered value, which is compared with all the cells.
  - - Pin Icon: Pins the filter after a hypothetical reload.

1. Table Actions box:
  - - Plus icon: Opens a dialog to add a new tag
  - - .CSV: Downloads the table in CSV format.
  - - .XLS: Downloads the table in XLS format.

1. Edit icon: Opens a container for Tag Editing

New Tag

This dialog allow for adding a tag. The user needs to enter the name and choose a color. Optionally, they can select one or more elements to be associated with the tag. If desired, the user can create the tag first and then choose the elements using the “Edit Tag” option.

1. Name: It is the name of the tag.

1. color: It is the HEX code color.

1. Preview: After selecting the color, the preview shows the updated name and color.

1. Palette icon: By clicking on this icon, you can open the palette and choose a color for the tag.

1. Select All switch: Enabling this switch allows you to select all the elements of that category (in this case, dashboard)

Edit Tag

This macro area is shown by clicking on the Edit icon. (1)
It reports the information in the input field and allows the editing of the tag.
Every changes must be applied pushing the Save button.

Tag Info

1. Name: It is the name of the tag.

1. Color: It is the HEX code color. You can choose a different color by clicking on the palette icon (5).

1. Preview: After selecting the color, the preview shows the updated name and color.

1. User Name: It is the tag owner. A superuser has control over all tags, while a user with regular authorization can only control their own tags.

Associate The Tag

This section allows the user to associate the tag with various elements. There are different types of elements, and they may become more numerous over time.

1. Hide icon: Opens the network container and displays the table for selecting the network. Toggling the click allows the user to select or deselect the element.

1. Select All switch: Enabling this switch selects all elements of that category. (in this case, network)

1. Expand icon: Clicking on this icon shows the Host container.

Associated Elements

This section allows the user to remove an association between tag-element.

1. Select All switch: Enabling this switch allows you to select all elements without considering the categories.

1. Remove icon: Clicking on this icon selects the element to be deleted.

Multiple Editing

This container allows the multiple editing of the previously selected tags. You can select a color and apply it to all the tags.

1. Palette icon: Displays the color palette, allowing you to select a color by clicking on one of them.

1. Preview: When hovering over a color, the preview shows the how the tag willl appear with that color.

The container is divided into two areas:

- Associate The Elements To The Tags: You can choose the elements to be associated with the tags.

- Associated Elements: This area allows you to select the elements from which the association will be deleted.

Associate The Elements To The Tags

This section allows you to associate elements with tags. In this case, the container containing the elements table is opened using the (1) icon. You can select all the assets at once using the red boxed switch.

1. Open/Close icon: This icon is used to toggle the opening and closing of the container.

1. Clicking on the line will select it and associate it with the tags. Once the changes are saved, the association will be applied.

Associated Elements

This section allows you to remove the tag-element association. You can select all the elements using the red boxed switch.

1. Remove Icon: It removes the association of all previously selected tags with the selected element.

Delete Tags

To delete multiple tags, first select one of the tags using the Remove icon (1), then press the select all button (2). Once you’ve selected one or more tags, the Remove button (3) will activate.

After clicking the remove button on the main page, a container will appear, allowing you to complete the deletion
It displays the selected tags as a reminder.
Click remove to apply the deletion.

Packages Management

SGBox — Fri, 15 Sep 2023 14:27:09 +0000

Main Concept

A package is a box that contains many preconfigured items for a specific vendor or functionality.

Typically a package may contains:

pattern
class
template
dashboard
profiles and vendors association
playbook

In a multitenant environment, a package must be updated tenant by tenant.

Package Installation

You can check the package list to retreive and install pre-configured objects to integrate in you appliance. To install a package you can reach the page from SCM -> Applications -> Packages

Select the package that you need to install and start the process with “Install” button, a popup will appear. To confirm the installation
you need to select the button “Download and Install”

Once downloaded the package, you must associate it with the hosts, to permit the system to automatically associate these hosts to the correct Class, Template, Vendor, and other related objects to permit to parse the log and convert it into events.

Package content preview and filter objects installation

To view the content of the package before the install to Hosts, you can select the button “Customize” near the “Install Button” to view all
the objects inside it. You can also select only objects that you need.

Installation re-run

If you want to associate other hosts after the first package wizard, you can re-run the wizard with the “play” ▶ button near the related
package.

With this options you can: – Add new Host – Configure a different e-mail for all the Rules and Actions – Review the package content with “Customize”)

Package Update

If a new package version is available, a new icon appear under the “play” icon, with double arrows in circle 🔁.

You can review the package content and then update it.

❗ Update Note: please remind that every items in the package may be overwritten (ID of the object as reference) when confirm the updating. This may include name modification, action reset in the LCE Rule or Event Queries actions and so on.

Package removal

To remove a package you can select the “Trash” 🗑 icon then confirm the deletion in the next popup.

Removal Note: Please remind that the removal do not remove the associated active elements, these must be removed manually.

Custom package

In multitenant or multimanagement environment, you can create a custom package. A custom package must be uploaded manually on every tenant and mantain low IDs on the object.

Creation

To create a package you need to go on SCM -> Actions -> Packages

Next you can select elements to include in the package:

An already present package to start from. This is used mainly to produce official package.
Multiple elements to include like patterns, class, dashboards, rules, templates, event queries, playbook, profiles and vendors.
Actions like
1. Download package: with this option you can download the newly created package. With this option you must provide a name, short description and optional (but recommended) a logo (square format 1:1, any other aspect ratio will be stretched, no trasparent is recommended to provide theme compatibility). The package will start download in encrypted format
2. Export to tenants: option present only with impersonificated user in multitenant environment. This allow to share elements directly in other tenants. Once selected in the next popup you can select the tenants where to share objects.

Note: pay attention to the objects dependencies (eg. dashboard with widget come from Template or EQ), these are not shown in the page during creation, due to flexibility in the creations steps.

New Package Export

This section describes how to use the new version of the page that allows you to export a set of objects in a package, or transfer them to other tenants of a Multi tenant environment.
The main innovation of the new version of the package export page is the ability to show all types of objects together. When you first open the page, you see all existing objects, with a maximum of 1000 displayed. Then, you can filter the list by:

Package(s): to see all the objects contained in one (or more, combined) package already installed on SGBox.
Name and description: write any text to see all the objects that contain it, in their name or description.
Types: to see only objects of certain types (e.g. dashboard, patterns).
Tags: to see only objects associated with the selected tags.

All filters can be combined, so you can see, for example, all Classes and Patterns named like “Watchguard”. You have to click on the FILTER button to apply the filters.

The FILTER button does not apply to the package selection filter, which works immediately and also pre-selects the objects contained in the package(s). This allows you to edit an existing package, by simply adding new objects or deselecting the ones you want to remove from the package.

Objects can be selected if it has the switch enabled, to include it in the package that will be exported. If an object cannot be selected, it’s just for display; it will be automatically included in the package if related to selected objects. When you select an object, the systems highlights with a check icon all the other objects that are related to the selected one. Those related objects will be included in the package too. without need to be manually selected.

As the related objects may not be visible immediately in the list, the button PREVIEW at the bottom right of the page can be used to show, at any time, all the objects that will be included in the package.

The search icon next to any object that can be selected, allows you to see a preview of all the objects related to the one you clicked, to see what would be included in the package if that object was selected.

Upload on tenant

Once downloaded the package in encrypted format, you can upload it in other tenants by enter in the target tenant and upload it via
SCM -> Applications -> Upload App.

Once uploaded a new Section in the application will appear “Custom”

Update custom package

When update a custom package, the package match the object by the name and/or ID of the object already present in the appliance, so pay attention by renaming objects already exported or recreating it.

Syslog forwarding from sgbox to another server

SGBox — Tue, 23 May 2023 16:05:09 +0000

Syslog forwarding from sgbox to another server

This article explain how to forward logs/events received from SGBox to another server using syslog protocol.
First off all you need to download the “SGBox syslog forwarder” application or ask support via ticket to unlock it.
Remember that this application reads data from internal repository and forwards log, events or incidents to an external syslog server.

From SCM > Application > Tools click install on SGBox syslog forwarder application.

Launch the application and configure it

IP Address	Only IP addresses are allowed in the “Remote syslog server address”
Class ID	The field Class ID allows to specify one or more classes to retrieve logs and events from. User can specify a class by specifying its class id (LM->Configuration->Class, the # column). Comma separated class IDs are allowed to identify more hosts and events that should be forwarded. As an alternative, user can create a single new class containing all the hosts/events that should be forwarded; this solution is less readable, but allowed
Protocol	Protocol can be TCP or UDP. Use TCP if possible, since it is more a reliable protocol
Port	Destination Port
Send RAW data from hosts in this classes corresponding to the selected events	tells SGBox to forward just the logs used to generate an event (i.e. in a “logon” class, only the raw data that represents a logon will be forwarded).
Send all RAW data from hosts in this classes	tells SGBox to forward all the logs from the hosts that belong to the selected class (more verbose)
Send events (JSON format)	tells SGBox to forward only the events that were generated by the events extraction system. Incidents (events that were generated by correlation rules) can be forwarded as well and you need to specify the classes they are bound to, in the Class ID field (again, in LM->Configuration->Class)

Additional information:

Data is sent by using rfc5424.
Raw data and events are sent with the same origin and timestamp as the original raw log and event.
Raw data is sent in plain text
Events are sent in json format

Change your own user settings

SGBox — Fri, 17 Feb 2023 14:29:16 +0000

Change user settings

This article explain how a user can change his settings also if he has read-only privileges on different modules.
After logged in with your user, select USER > Edit

Here you can change: username, password and user email

Network Panel – Functionalities and usage

SGBox — Wed, 11 Jan 2023 16:01:09 +0000

Network Panel

The network page allows to show all hosts present in the internal database of SGBox.

Document Index

Main Page
New Network
Select Single Network
Select All
Modify Network
Multiple Editing
Remove
Discovery Host
Remove

Main Page

The Functions box (1) allows different actions:

Select all
Multiple Editing
Remove

In the (3) box:

.csv downloads the table as csv file.
.xls downloads the table as xls file.
The plus icon allows you to add a new network.

In the search field box (3) you can filter the results of the table. The system searches for each field of the table based on the characters in the input field.

Clicking on the pin icon (4) pins the filter for a future use. If it is blue the filter is pinned.

The green circled icon shows the hosts belonging to the network
The light blue circled icon allows you to edit the information related to the network
The red circled icon selects the network to enable removal.

New Network

This modal dialog allows you to add a new network. The description and the location are optional. You can associate a location by searching for at least 3 characters in the input field and then selecting one of the results.

To cancel your choice you can click again on the row. To clear all the input field, you can use the reset button.

Select Single Network

By clicking on the row you will be able to perform the following actions:

Select all
Remove

If you previously selected at least two networks, you will be able to perform these actions:

Select all
Multiple editing
Remove

Select all

By clicking on the select all button, the rows (networks) will be selected. After clicking on the select all button:

You can edit multiple networks (1) or remove (2) them.
The button changes to “Deselect all” (3) to deselect all rows, clear the search input field, and reload the networks.

Functions:

Multiple editing
Remove

Modify Network

This macro area is displayed by clicking on the Edit icon. (1)

It reports the information in the input field and enables editing of the network.

Modify network area

In the “modify network” section, you can modify the network information. It’s important to enter the network address correctly, as the system rejects these types of addresses:

1.1.1.01
30.168.1.255.1
127.1
192.168.1.256
-1.2.3.4
1.1.1.1.
3…3
192.168.1.099

All the fields are editable.

Location area

In the “Location” area, you can modify the location associated with the network. The first three input fields allow the user to find more details about the selected city.

To search for a location, you need to first select an available country from the drop-down list (1). Then, you must enter at least 3 characters in the input field (2) to enable the search button. Once the location has been selected and applied, you can remove the association by turning off the switch.

Multiple editing

This view enables the editing of the selected networks. It performs the same functions of the Modify Network view. The common information of the networks selected is reported in the first red rectangle.

The view shows the different information of the networks selected in the second red rectangle

Remove

To delete one or more network the user have to select the trash icon(1) and then click on the remove button (2).

The following modal dialog displays the networks that the user has selected. To delete them, simply click the “Remove” button.

Configure Oracle App

SGBox — Tue, 03 Jan 2023 10:41:46 +0000

Download and Configure Microsoft SQL App

This articles explain how to configure Oracle App in order to retrieve logs from a specified database table.
Requirements:

SGBox version 4.2.5

Go to the application lists from SGBox go to SCM > Applications

Select Vendors Integrations and download the application Log from Oracle. Click on INSTALL. Once Installed click on EDIT icon

You need to configure the application as follow:

Host: Database IP SID: Oracle SID Port: DB port Username: Oracle user used to login Password: Oracle user's password Star Date: Initial date to retrieve logs Timestamp field: The Column name that contain the timestamp Timestamp table: The table that contain the timestamp Separate field: Character used to separate information once retrieved Query: query used to extract information

IT’S VERY IMPORTANT TO NOT PUT ANY TIMESTAMP CONDITION OR * IN THE SELECT FIELD

After configured you need to schedule the application to be executed. See this section to know how to schedule an application.

The first time the application has been run some components are added and if everything is ok you can see in LM > Analysis> Historical Search the results

Once executed you’ll see your logs LM > Analysis > Historical Search

If yuo have more databases or more SQL Server you can clone it and configure a new one.