About SIEM integration
You can integrate Perception Point with various SIEM [Security Information and Event Management] solutions, such as Splunk and QRadar. This lets you use your SIEM solution to monitor system event logs, and the scans that are performed by Perception Point in your organization. This, in turn, enables you to perform tasks such as monitoring and flagging emails that have been scanned, found to be malicious, and then quarantined.
There are two methods available to integrate Perception Point with SIEM solutions:
- Using the Perception Point API
- Using syslogs
Comparing: API vs syslog
The table below should help you decide which is the better method for implementing SIEM integration in your organization - API or syslog.
API | Syslog |
Encrypted | Not encrypted |
Configurable | Not configurable |
Can include all system events | Includes scan-related events only |
Pull mechanism | Push mechanism |
Note: For new Perception Point customers, the API method is typically recommended for SIEM integration. |
Syslog integration
About Syslog integration
The Syslog service that is available in Perception Point can be used to forward event logs to SIEM solutions, such as Splunk and QRadar. Each event entry in the logs relates to a scan that was performed. This enables you to use a SIEM solution to perform tasks such as monitoring and flagging emails that have been found to be malicious and then quarantined.
- There are 2 available communication protocols for sending Perception Point syslog messages: TCP and UDP.
- Each syslog message is sent in plain text format, and is limited to a maximum of 1,024 characters.
- Syslog messages are not encrypted. [Encrypted syslogs are not supported]
Prerequisites
Before you can integrate the Perception Point syslog service with your SIEM tool, you'll need to send the following information to Perception Point Support [support@perception-point.io] - [by email, or by using the chat feature], to configure the integration for your organization:
- The server IP to which to send the syslog messages.
- The port to which to send the syslog messages.
- The communication protocol that will be used for sending the syslog messages - TCP or UDP.
- The organization in Perception Point X-Ray for which the syslog service is being implemented.
You can include the text template below in your email:
Subject: Syslog integration |
Hi Perception Point Support Team, We are performing a Syslog integration. Please can you configure the following for our organization:
Please let us know when this has been done. Thank you |
After this information is configured by Perception Point Support, Perception Point will begin generating and sending syslog messages for the scans performed.
You'll need to configure your SIEM tool to receive the syslog messages from Perception Point.
Firewall requirements
Make sure to enable the required Perception Point IP addresses in your firewall. The IP addresses vary, depending on the environment of your organization.
What is the environment of your organization
|
For US environments | For EU environments | For AU environments |
|
|
|
Message format
Each syslog message contains pairs of data fields and the associated data, for example Event:Email Scanned. Each "data field and data" pair in a syslog message is separated from the next pair by a pipe symbol: “|”
Each syslog message contains various "standard" data fields, and additional "scan-type-specific" data fields - depending on the type of scan [email, file, or URL]. The available "data field and data" pairs are shown in the tables below.
Standard data fields
Each syslog message may contain some of the data fields that are listed in the table below.
Data field | Description |
datetime | The time at which the scan was performed - in epoch format. |
Scan ID | The ID of the scan. The Scan ID is composed as follows: ENV_CODE + scan id |
From | sample_from |
Layers | scan layers |
Verdict | The verdict of the scan. Possible values:
|
Action | The action that was performed. Possible values:
|
Sample | sample identifier |
Verdict Messages | warning text |
Data fields for email messages
Each syslog message for an email scan may contain one or more of the data fields that are listed in the table below.
Data field | Description |
Event | Email Scanned |
IP Address | The source_ip |
Subject | The subject of the email that was scanned. |
Message ID | message_id |
To | The recipient of the email - for example harold@acme.com. sample_to |
Data fields for file messages
Each syslog message for a file scan may contain one or more of the data fields that are listed in the table below.
Data field | Description |
Event | File Scanned |
Name | The name of the file that was scanned. |
Data fields for URL messages
Each syslog message for a URL scan may contain one or more of the data fields that are listed in the table below.
Data field | Description |
Event | URL Scanned |
URL | The URL that was scanned. scan.sample.path |
Examples
The following is an example of a syslog message for an email scan:
datetime:1612422455.63|Scan ID:000176_1_3e0af324-b2dd-4c24-b952-37457c5882e2|Event:Email Scanned|IP Address:1.2.3.4|Subject:Just Landed | New season femininity + Final sale reductions|Message ID:51e28gbf95n7d2650e0hphroitr3rmefedmftg01|To:harold@acme.com|From: Sender <sender@domain.com>|Layers:|Verdict:SUS|Sample:<3a1a1ddf-b20b-4536-904a5d376d9eb38c@journal.report.generator> |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article