SIEM integration

Modified on Sat, 7 Sep at 4:49 PM


About SIEM integration

You can integrate Perception Point with various SIEM [Security Information and Event Management] solutions, such as Splunk and QRadar. This lets you use your SIEM solution to monitor system event logs, and the scans that are performed by Perception Point in your organization. This, in turn, enables you to perform tasks such as monitoring and flagging emails that have been scanned, found to be malicious, and then quarantined.

There are two methods available to integrate Perception Point with SIEM solutions:

  • Using the Perception Point API
  • Using syslogs


Comparing: API vs syslog

The table below should help you decide which is the better method for implementing SIEM integration in your organization - API or syslog. 

 

API

Syslog

Encrypted

Not encrypted

Configurable

Not configurable

Can include all system events

Includes scan-related events only

Pull mechanism

Push mechanism

 

 

Note: For new Perception Point customers, the API method is typically recommended for SIEM integration.

 


 Syslog integration


About Syslog integration

The Syslog service that is available in Perception Point can be used to forward event logs to SIEM solutions, such as Splunk and QRadar. Each event entry in the logs relates to a scan that was performed. This enables you to use a SIEM solution to perform tasks such as monitoring and flagging emails that have been found to be malicious and then quarantined.

  • There are 2 available communication protocols for sending Perception Point syslog messages: TCP and UDP.
  • Each syslog message is sent in plain text format, and is limited to a maximum of 1,024 characters.
  • Syslog messages are not encrypted. [Encrypted syslogs are not supported]


Prerequisites

Before you can integrate the Perception Point syslog service with your SIEM tool, you'll need to send the following information to Perception Point Support [support@perception-point.io] - [by email, or by using the chat feature], to configure the integration for your organization:

  • The server IP to which to send the syslog messages.
  • The port to which to send the syslog messages.
  • The communication protocol that will be used for sending the syslog messages - TCP or UDP.
  • The organization in Perception Point X-Ray for which the syslog service is being implemented.

You can include the text template below in your email:

 

Subject: Syslog integration

Hi Perception Point Support Team,

We are performing a Syslog integration. Please can you configure the following for our organization:

  • The server IP to which to send the syslog messages: 
  • The port to which to send the syslog messages: 
  • The communication protocol that will be used for sending the syslog messages: TCP or UDP
  • The organization in Perception Point X-Ray for which the syslog service is being implemented: 

Please let us know when this has been done.

Thank you

 

After this information is configured by Perception Point Support, Perception Point will begin generating and sending syslog messages for the scans performed.

You'll need to configure your SIEM tool to receive the syslog messages from Perception Point.


Firewall requirements

Make sure to enable the required Perception Point IP addresses in your firewall. The IP addresses vary, depending on the environment of your organization.

What is the environment of your organization 

  1. In Perception Point X-Ray, go to Account > Preferences.
  2. The Environment of your organization will appear under General > Info: US, EU, or AU.

 

For US environments

For EU environments

For AU environments

  • 3.81.182.154
  • 3.93.155.149
  • 3.95.118.12
  • 3.95.142.181
  • 54.227.64.76
  • 99.81.216.78
  • 34.249.190.60
  • 108.128.137.108
  • 99.80.189.20
  • 13.236.255.231
  • 54.66.125.250



Message format

Each syslog message contains pairs of data fields and the associated data, for example Event:Email Scanned. Each "data field and data" pair in a syslog message is separated from the next pair by a pipe symbol: “|”

Each syslog message contains various "standard" data fields, and additional "scan-type-specific" data fields - depending on the type of scan [email, file, or URL]. The available "data field and data" pairs are shown in the tables below.

Standard data fields

Each syslog message may contain some of the data fields that are listed in the table below.

 

Data field

Description

datetime

The time at which the scan was performed - in epoch format.

Scan ID

The ID of the scan. The Scan ID is composed as follows: ENV_CODE + scan id

From

sample_from

Layers

scan layers

Verdict

The verdict of the scan. 

Possible values: 

  • MAL
  • SUS
  • CLN

Action

The action that was performed. 

Possible values: 

  • Delivered
  • Scanned
  • Quarantined

Sample

sample identifier

Verdict Messages

warning text

 

Data fields for email messages

Each syslog message for an email scan may contain one or more of the data fields that are listed in the table below.

 

Data field

Description

Event

Email Scanned

IP Address

The source_ip

Subject

The subject of the email that was scanned.

Message ID

message_id

To

The recipient of the email - for example harold@acme.com. 

sample_to

 

Data fields for file messages

Each syslog message for a file scan may contain one or more of the data fields that are listed in the table below.

 

Data field

Description

Event

File Scanned

Name

The name of the file that was scanned.

 

Data fields for URL messages

Each syslog message for a URL scan may contain one or more of the data fields that are listed in the table below.

 

Data field

Description

Event

URL Scanned

URL

The URL that was scanned.

scan.sample.path

 

Examples

The following is an example of a syslog message for an email scan:

datetime:1612422455.63|Scan ID:000176_1_3e0af324-b2dd-4c24-b952-37457c5882e2|Event:Email Scanned|IP Address:1.2.3.4|Subject:Just Landed | New season femininity + Final sale reductions|Message ID:51e28gbf95n7d2650e0hphroitr3rmefedmftg01|To:harold@acme.com|From: Sender <sender@domain.com>|Layers:|Verdict:SUS|Sample:<3a1a1ddf-b20b-4536-904a5d376d9eb38c@journal.report.generator>

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article