decrypt – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Tue, 05 Nov 2024 10:51:14 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp decrypt – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 log decryption test https://www.sgbox.eu/en/knowledge-base/log-decryption-test/ Wed, 24 May 2023 13:41:54 +0000 https://www.sgbox.it/sgbox/EN/?post_type=epkb_post_type_1&p=8784 Log decryption test

This article explain where encrypted logs are stored in SGBox and how to perform some decryption test.

First of all you need to know that after SGBox receives the logs it store the them in the Online Database in order to allows to do some searchs with Historical Search tool (LM > Analysis > Historical Seach).
Meanwhile SGBox also analyze the logs in order to produce the events you can see in Class/Pattern Analysis, Templates, Dashboards, Reports, ecc..
Here you can find some more information on how logs are stored and their retention: data retention

The raw logs are also stored on the filesystem in encrypted format using GPG. You can see them in LM > Configuration > Encryption
In this page you are also able to download a specific log file and check it can’t be read without the SGBox GPG keys

log decryption test

In order to read it you need to download the GPG keys and store the in a file (read this article to know how to do it: Export GPG key)

WINDOWS
Download & Install a GPG program like GPG4WIN (https://www.gpg4win.org/).Run the progrma and choose Import botton. Select the previuosly exported GPG keys file.log decryption test

log decryption test

Choose Decrypt/Verify and select your file.

log decryption test

Click on Save All to save the unencrypted file

log decryption test

log decryption test
LINUX
  • Import your keys:
    gpg --import < sgbox_pub.key
    gpg --import < sgbox_priv.key
  • Run following command:
    gpg -d -q data_20200202050000_20200202055959_757.log.gpg
]]> Export SGBox GPG Key https://www.sgbox.eu/en/knowledge-base/export-sgbox-gpg-key/ Thu, 06 Feb 2020 13:57:55 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=3146

How to export SGBox GPG Key

This articles explain how to export the SGBox private and public keys in order to decipher your logs out of SGBox.

Requirements:

  • SGBox version 4.2.0 or later.
  • Only the default Admin user can export the key.
  • The supervisor password must be set in SCM > Advanced Options, Supervisor Password.
    • Note: In case the previously set password is lost. customers are asked to open a ticket to SGBox support via the ticket platform(https://sgboxportal.sgbox.it) by entering “Password Change for Supervisor” in the subject of the ticket.

From SGBox go to SCM > Applications
Due to SoD restriction, keys are not available by default. You need to send an email to support@www.sgbox.it and asking for unlock it.
Export SGBox GPG Key

Once unlocked a new section Tools appears. Go to SCM > Applications > Tools
Install the application GPG key export and click PLAY button.
Export SGBox GPG Key

Insert the Supervisor password and the keys will be shown.
Take your time to copy and store them in a safe place.
Export SGBox GPG Key

Here couple of examples of how to decrypt logs: Log decryption

]]>