Set up SIEM for Integration
Table of Contents
Expand all | Collapse all
-
- Integrate IoT Security with AIMS
- Set up AIMS for Integration
- Set up IoT Security and XSOAR for AIMS Integration
- Send Work Orders to AIMS
- Integrate IoT Security with Microsoft SCCM
- Set up Microsoft SCCM for Integration
- Set up IoT Security and XSOAR for SCCM Integration
- Integrate IoT Security with Nuvolo
- Set up Nuvolo for Integration
- Set up IoT Security and XSOAR for Nuvolo Integration
- Send Security Alerts to Nuvolo
- Send Vulnerabilities to Nuvolo
- Integrate IoT Security with ServiceNow
- Set up ServiceNow for Integration
- Set up IoT Security and XSOAR for ServiceNow Integration
- Send Security Alerts to ServiceNow
- Send Vulnerabilities to ServiceNow
-
- Integrate IoT Security with Cortex XDR
- Set up Cortex XDR for Integration
- Set up IoT Security and XSOAR for XDR Integration
- Integrate IoT Security with CrowdStrike
- Set up CrowdStrike for Integration
- Set up IoT Security and XSOAR for CrowdStrike Integration
- Integrate IoT Security with Microsoft Defender XDR
- Set up Microsoft Defender XDR for Integration
- Set up IoT Security and Cortex XSOAR for Microsoft Defender XDR Integration
- Integrate IoT Security with Tanium
- Set up Tanium for Integration
- Set up IoT Security and XSOAR for Tanium Integration
-
- Integrate IoT Security with Aruba AirWave
- Set up Aruba AirWave for Integration
- Set up IoT Security and Cortex XSOAR for Aruba AirWave Integration
- View Device Location Information
- Integrate IoT Security with Aruba Central
- Set up Aruba Central for Integration
- Set up IoT Security and XSOAR for Aruba Central Integration
- Integrate IoT Security with Cisco DNA Center
- Set up Cisco DNA Center to Connect with XSOAR Engines
- Set up IoT Security and XSOAR for DNA Center Integration
- Integrate IoT Security with Cisco Meraki Cloud
- Set up Cisco Meraki Cloud for Integration
- Set up IoT Security and XSOAR for Cisco Meraki Cloud
- Integrate IoT Security with Cisco Prime
- Set up Cisco Prime to Accept Connections from IoT Security
- Set up IoT Security and XSOAR for Cisco Prime Integration
- Integrate IoT Security with Network Switches for SNMP Discovery
- Set up IoT Security and Cortex XSOAR for SNMP Discovery
- Integrate IoT Security with Switches for Network Discovery
- Set up IoT Security and Cortex XSOAR for Network Discovery
-
- Integrate IoT Security with Aruba WLAN Controllers
- Set up Aruba WLAN Controllers for Integration
- Set up IoT Security and XSOAR for Aruba WLAN Controllers
- Integrate IoT Security with Cisco WLAN Controllers
- Set up Cisco WLAN Controllers for Integration
- Set up IoT Security and XSOAR for Cisco WLAN Controllers
-
- Integrate IoT Security with Aruba ClearPass
- Set up Aruba ClearPass for Integration
- Set up IoT Security and XSOAR for ClearPass Integration
- Put a Device in Quarantine Using Aruba ClearPass
- Release a Device from Quarantine Using Aruba ClearPass
- Integrate IoT Security with Cisco ISE
- Set up Cisco ISE to Identify IoT Devices
- Set up Cisco ISE to Identify and Quarantine IoT Devices
- Configure ISE Servers as an HA Pair
- Set up IoT Security and XSOAR for Cisco ISE Integration
- Put a Device in Quarantine Using Cisco ISE
- Release a Device from Quarantine Using Cisco ISE
- Apply Access Control Lists through Cisco ISE
- Integrate IoT Security with Cisco ISE pxGrid
- Set up Integration with Cisco ISE pxGrid
- Put a Device in Quarantine Using Cisco ISE pxGrid
- Release a Device from Quarantine Using Cisco ISE pxGrid
- Integrate IoT Security with Forescout
- Set up Forescout for Integration
- Set up IoT Security and XSOAR for Forescout Integration
- Put a Device in Quarantine Using Forescout
- Release a Device from Quarantine Using Forescout
-
- Integrate IoT Security with Qualys
- Set up QualysGuard Express for Integration
- Set up IoT Security and XSOAR for Qualys Integration
- Perform a Vulnerability Scan Using Qualys
- Get Vulnerability Scan Reports from Qualys
- Integrate IoT Security with Rapid7
- Set up Rapid7 InsightVM for Integration
- Set up IoT Security and XSOAR for Rapid7 Integration
- Perform a Vulnerability Scan Using Rapid7
- Get Vulnerability Scan Reports from Rapid7
- Integrate IoT Security with Tenable
- Set up Tenable for Integration
- Set up IoT Security and XSOAR for Tenable Integration
- Perform a Vulnerability Scan Using Tenable
- Get Vulnerability Scan Reports from Tenable
Set up SIEM for Integration
Set up the SIEM server for integration with IoT Security
through IoT Security.
- Configure the SIEM server to accept the following device attributes from IoT Security.The field names in the first three rows are predefined, standard names. The field names in the remaining rows must be defined for IoT Security device attributes.
Device Attribute (IoT Security) SIEM Field Name 1 IP Address dvc 2 MAC Address dvcmac 3 Hostname dvchost 4 Profile cs1Label=Profile 5 Category cs2Label=Category 6 Profile Type cs3Label=Profile 7 Vendor cs4Label=Vendor 8 Model cs5Label=Model 9 VLAN ID cs6Label=Vlan 10 Site cs7Label=Site 11 Risk Score cs8Label=RiskScore 12 Risk Level cs9Label=RiskLevel 13 Subnet cs10Label=Subnet 14 Number of Critical Alerts cs11Label=NumCriticalAlerts 15 Number of Warning Alerts cs12Label=NumWarningAlerts 16 Number of Caution Alerts cs13Label=NumCautionAlerts 17 Number of Info Alerts cs14Label=NumInfoAlerts 18 First Seen Date cs15Label=FirstSeenDate 19 Confidence Score cs16Label=ConfidenceScore 20 OS Group cs17Label=OsGroup 21 OS/Firmware Version cs18Label=OsFirmwareVersion 22 OS Support cs19Label=OsSupport 23 OS End of Support cs20Label=OsEndOfSupport 24 Serial Number cs21Label=SerialNumber 25 Endpoint Protection cs22Label=EndpointProtection 26 Network Location cs23Label=NetworkLocation 27 AET cs24Label=AET 28 DHCP cs25Label=DHCP 29 Wired or Wireless cs26Label=WireOfWireless 30 SMB cs27Label=SMB 31 Switch Port cs28Label=SwitchPort 32 Switch Name cs29Label=SwitchName 33 Switch IP Address cs30Label=SwitchIp 34 Services cs31Label=Services 35 Server cs32Label=IsServer 36 NAC Profile cs33Label=NAC_Profile 37 NAC Profile Source cs34Label=NAC_ProfileSource 38 Access Point IP Address cs35Label=AccessPointIp 39 Access Point Name cs36Label=AccessPointName 40 SSID cs37Label=SSID 41 Authentication Method cs38Label=AuthMethod 42 Encryption Cipher cs39Label=EncryptionCipher 43 AD Username cs40Label=AD_Username 44 AD Domain cs41Label=AD_Domain 45 Applications cs42Label=Applications 46 Tags cs43Label=Tags 47 OS Combined cs44Label=os_combined IoT Security supplies Cortex XSOAR with device attributes, and XSOAR converts them into Common Event Format (CEF) before sending them to the SIEM server.Example of the device attributes for an Apple iPad in CEF:"INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|asset|Asset Identification|1|dvc=10.1.1.39 dvcmac=cc:d2:81:33:bd:6a dvchost=iPad cs1Label=Profile cs1=iPad cs2Label=Category cs2=Smartphone or Tablet cs3Label=Type cs3=Non_IoT cs4Label=Vendor cs4=Apple Inc. cs5Label=Model cs5=iPad11,1 cs6Label=Vlan cs6=330 cs7Label=Site cs7=test-1117-04 cs8Label=R5iskScore cs8=20 cs9Label=RiskLevel cs9=Low cs10Label=Subnet cs10=10.1.1.0/24 cs15Label=FirstSeenDate cs15=2020-04-07T22:04:20.000Z cs16Label=ConfidenceScore cs16=95 cs17Label=OsGroup cs17=iOS cs22Label=EndpointProtection cs22=not_protected cs25Label=DHCP cs25=Yes cs26Label=WireOrWireless cs26=wireless cs42Label=Applications cs42=Zoom,iCloud,iTunes cs44Label=os_combined cs44=iOS"Example of an alert about an outdated version of Chrome:"CEF:0|PaloAltoNetworks|PANWIOT|1.0|PaloAltoNetworks Alert:policy_alert|Outdated Chrome version used by IoT device|2|dvcmac=14:91:38:b5:22:18 src=10.1.20.14 shost=unknown dhost=UNKNOWN URL fileId=0oakC30 fileType=alert rt=2020-12-30T23:07:24.000Z deviceCustomDate1=1609369890526 cs1Label=Description cs1=The usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks. cs2Label=Values cs2=[{'label': 'user agent', 'value': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36'}]"Example of a vulnerability test:"INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|vulnerability|Vulnerability Test - Medium|1|dvc=10.1.3.54 dvcmac=64:16:7f:4c:d1:53 dvchost=Polycom_64167f4cd153 cs1Label=Profile cs1=Polycom Video Conferencing Device cs2Label=Category cs2=Video Audio Conference cs1Labe3=Profile cs3=Office cs4Label=Vendor cs4=Polycom cs5Label=Model cs5=Trio8800 cs8Label=RiskScore cs8=26 cs9Label=RiskLevel cs9=Low cs11Label=vulnerabilityName cs11=Vulnerability Test - Medium cs12Label=DetectionDate cs12=2020-12-23T23:59:59.000Z cs17Label=OsGroup cs17=Embedded cs19Label=OsSupport cs19=Embedded"Note the IP address of the SIEM server and the port number on which it listens for syslog messages.You will need this information when configuring the SIEM instance in Cortex XSOAR.