VMware NSX Network Detection and Response Syslog Integration

The Syslog Integration allows On-Premises appliances to automatically send syslog notifications to a SIEM server when events that match some specified criteria are triggered. The VMware NSX Network Detection and Response supports sending notifications over syslog using Common Event Format (CEF) or Log Event Extended Format (LEEF). The integration can send a notification when the system detects a specific event on a monitored network. It can also send notifications about the status of the system appliances.

About Syslog Integration

Some of the terms used in this document are defined here:

SIEM

Security information and event management, a service that provides event monitoring with prioritized alert notification.

CEF

Common Event Format, an open log management standard introduced by ArcSight that improves the interoperability of security-related information from different security and network devices and applications.

LEEF

Log Event Extended Format, a customized event format for IBM Security QRadar.

Trigger category

A trigger category represents a type of event for which notifications should be sent.

Notifications can be triggered by different classes of events. When configuring a notification, you must specify for which trigger notifications should be sent.

Appliance trigger

A trigger category related to events concerning appliances status. These can be either appliance-checkin (an occurrence of an appliance check-in) or appliance-message (status messages from the components of an appliance).

Audit trigger

A trigger category related to audit events (relevant actions performed by a user account on the User Portal). The following are audit event categories:

  • Authentication Authentication related actions (for example, a user logged in to the User Portal).

  • Configuration Appliance related (for example, the reconfiguration of an appliance).

  • Registration Customer/account/license related actions (for example, the creation of a new customer).

Intrusion trigger

A trigger category related to intrusion events.

Mail trigger

A trigger category for email detection events. Suspicious or malicious emails can be detected because of attachments, URLs, or other characteristics of the message.

Network trigger

A trigger category related to network events. The following are network events:

  • Malware Command and Control traffic.

  • Drive-by download.

  • Fake anti-virus software activity.

  • Malicious file download.

  • Suspicious network activity.

  • Suspicious URL activity.

  • System network test.

  • Unwanted software activity (for example, adware).

  • Network traffic rule matches.

  • Network anomalies: DNS, HTTP, kerberos, netflow, SMB, and TLS.

Network IoC trigger

A trigger category related to indicators of compromise (IoC) events. The following are network IoC events:

  • A domain name was identified as a potential IoC.

  • An IP address was identified as a potential IoC.

Test trigger

A trigger category for testing events. A notification can be triggered from the User Portal to verify that the integration was successfully configured. A notification can be verified for:

  • Email

  • HTTP Post

  • Slack

  • Streaming

  • Syslog

Architecture

When using Syslog Integration the Manager can be configured to automatically send SIEM syslog notifications to a chosen server whenever the configured events are triggered. The Manager can either send the notification directly to the specified server or through a Sensor.

Two formats are supported for SIEM notifications: CEF and LEEF.

The content of the notifications differs depending on the event that has been triggered and the log format which has been chosen for the syslog notification.

Choice of format

The choice between CEF and LEEF may be dictated by the SIEM platform to which syslog notifications need to be sent. When both formats are an option, VMware recommends choosing the LEEF format for the following reasons:

  • CEF limits the number of non-standard, extension fields that can be included in a message. Because of this restriction, some VMware NSX Network Detection and Response notification messages will contain additional information when encoded in LEEF as compared to CEF.

  • LEEF is an easier format to parse, as it consistently uses the TAB character as its field separator. TAB is not allowed as a value within a field.

    CEF, on the other hand, uses the SPACE character as its separator, but does not forbid the use of the SPACE character as a value within a field.

Transport protocol

SIEM syslog messages can be sent using either UDP or TCP transport protocols. You might prefer TCP for the reliability of messages, but your choice ultimately depends on what the SIEM platform supports.

UDP

When using the UDP transport protocol, each notification message is sent as a single UDP message. The SIEM server must parse each UDP message as a single notification.

TCP

When using the TCP transport protocol, a stream of newline separated messages is sent to the target SIEM server. The SIEM server must parse out each newline separated message as a single message. In the event of a connection disruption between the sender and receiver, there will be a single attempt to reestablish the TCP connection. If the connection can be reestablished, the messages sent will be resumed from the last message which failed. If the connection cannot be reestablished, pending messages will not be sent, and ignored, until a successful connection is reestablished with the server.

Common Event Format

A CEF log message is composed of a prefix common to all messages and an extension part; a collection of key-value pairs to give additional information about the event. Each key can be part of a predefined set or a limited custom-defined set.

Prefix

The structure of the prefix for the CEF notification remains the same for all types of trigger. It is in the following structure:

date origin_host CEF:CEF_version|vendor|product|version|signature_id|name|severity

  • date Date of the notification generation in MMM dd HH:mm:ss format.

  • origin_host Source of the SIEM notification.

  • CEF_version Version of CEF, currently "0".

  • vendor Name of the vendor (for example, "NSX").

  • product Name of the product (for example, "Defender").

  • version Version of the application sending the syslog message (for example, "9.0").

  • signature_id A unique identifier of the reported event type. The following lists values for each event:

    • Appliance status events: appliance-status

    • Audit events: audit-event

    • Intrusion events: intrusion-event

    • Mail events:

      • email-attachment Detection of a malicious email from an email attachment.

      • email-message Detection of a malicious email based on a message characteristic.

      • email-url Detection of a malicious email based on a URL.

    • Network events:

      • dga-activity-domain

      • dga-activity-pattern

      • dns-anomaly

      • dns-resolution

      • file-download

      • http-anomaly

      • krb-anomaly

      • netflow-anomaly

      • network-connection

      • nta-rule-match

      • profile-match

      • signature-match

      • sinkhole-resolution

      • smb-anomaly

      • suspicious-url

      • tls-anomaly

    • Network IoC events:

      • network-ioc-domain

      • network-ioc-ip

  • name Human-readable description of the event.

  • severity An integer ranging from 0 to 10, reflecting the importance of the event.

Extension

The extension part contains different fields depending on the type of event:

Appliance trigger fields

  • Predefined fields:

    • cat: Category, the name of the component that sent the message. Possible values are described in the Appliance trigger fields list.

    • deviceExternalId: Unique ID of the appliance.

    • deviceFacility: Detailed name of the component (message event only). Possible values are described in the Appliance trigger fields list.

    • dvc: IP address of the appliance.

    • dvchost: Fully qualified domain name of the appliance.

    • end: Ending timestamp.

    • msg: The actual message being sent by the component (message event only).

    • rt: Receipt time of the event.

    • start: Starting timestamp.

  • Custom fields:

    • deviceStatusLink: Link to the status page of this appliance.

    • deviceType: The type of appliance.

    • impact: Impact of this event, ranging from 0-100 (message event only).

    • msgIdentifier: Identifier of the appliance message (message event only). Possible values are described in the Appliance trigger fields list.

Audit trigger fields

  • Predefined fields:

    • cat: Category of the audit action, currently one of:

      • configuration: Appliance related actions.

      • registration: Account/customer/license related actions.

    • deviceExternalId: Unique ID of the manager appliance (On-Premises only).

    • duser: Customer to which the action refers.

    • externalId: ID of the audit event.

    • src: IP address of the user that performed this action.

    • start: Starting timestamp.

    • suser: Account of the user that performed the logged action.

  • Custom fields:

    • AffectedEntityID: Identifier of the object affected by this action (for example, license key, name of the account, UUID of the appliance).

    • AffectedEntityType: The type of the object affected by this action (for example, "license", "account", "appliance").

    • AuditActionType: The type of the audit action, some possible values are described in the Audit action field list.

    • ConfiguredSoftwareVersion: The version of the software that has been reconfigured (appliance_upgraded events).

    • EventDetailLink: Link to details about this action on the User Portal.

    • impact: Impact of this event, ranging from 0-100.

Intrusion trigger fields

  • Predefined fields:

    • cat: The most advanced attack stage.

    • deviceExternalId: Obfuscated identifier of the appliance.

    • deviceFacility: The correlation rule that caused the event, if any.

    • dvc: A sequence of each host with the threats and attack stages associated with it.

    • end: Ending timestamp.

    • externalId: Unique identifier of the intrusion.

    • msg: Detailed information about the intrusion event (for example, "Correlated 3 incidents into an intrusion").

    • start: Starting timestamp.

  • Custom fields:

    • affectedHosts: Number of affected hosts in the intrusion.

    • "intrusionDetailLink": A URL that links directly to the intrusion in the User Portal.

    • intrusionName: The name of the intrusion.

    • nrMalware: Number of distinct threats in the intrusion.

Mail trigger fields

  • Predefined fields:

    • act: Action taken in response to this event. Some of the possible values are described in the Mail event action list.

    • deviceExternalId: Obfuscated identifier of the appliance.

    • duser: Recipients of the email message.

    • end: Ending timestamp.

    • fileHash: MD5 hash of the malicious attachment (malicious attachment only).

    • fileType: Type of the malicious attachment (malicious attachment only).

    • fname: Name of the malicious attachment (malicious attachment only).

    • fsize: Size of the malicious attachment (malicious attachment only).

    • start: Starting timestamp.

    • suser: Sender of the email message.

  • Custom fields:

    • EmailSubject: Subject of the email message.

    • EventDetailLink: Link to details about this event on the User Portal.

    • fileCategory: Category of the malicious attachment (malicious attachment only).

    • FileDetailLink: Link to details about the malicious attachment on the User Portal (malicious attachment only).

    • fileSHA1: SHA-1 hash of the malicious attachment (malicious attachment only).

    • impact: Impact of this event, ranging from 0-100.

    • mailUrl: Malicious URL found in the mail message (malicious URL only).

    • mailUrlHash: MD5 hash of the malicious URL (malicious URL only).

    • MessageID: ID of the email message.

Network trigger fields

  • Predefined fields:

    • act: Action taken in response to this event.

    • cat: Information about the event malware in the form "malware class name/malware name".

    • cnt: Number of occurrences of this event.

    • deviceExternalId: Obfuscated identifier of the appliance.

    • dhost: Destination hostname of the event.

    • dst: Destination IP address of the event.

    • end: Ending timestamp.

    • externalId: Identifier of the event.

    • fileHash: MD5 hash of the malicious file (malicious file download only).

    • fileType: Type of the malicious file (malicious file download only).

    • fname: Name of the malicious file (malicious file download only).

    • fsize: Size of the malicious file (malicious file download only).

    • msg: Comment on the intelligence entry (if this particular event is due to a hit on custom intelligence).

    • proto: Transport layer protocol used by the event.

    • reason: Name of the source (if this particular event is due to a hit on custom intelligence).

    • smac: Source MAC address of the event.

    • sourceDnsDomain: Hostname of the source.

    • src: Source IP address of the event.

    • start: Starting timestamp.

    • suser: String representation of the list of users that were logged on at the time of the event.

  • Custom fields:

    • detectionId: String representing the concatenation of threat, activity, and detector id.

    • EventDetailLink: Link to details about this event on the User Portal.

    • EventUrl: URL of the network event. In case of a file download this will be the URL the file was downloaded from. Otherwise it will be the URL directly associated with the network event.

    • fileCategory: Category of the malicious file (malicious file download only).

    • FileDetailLink: Link to details about the malicious file on the User Portal (malicious file download only).

    • fileSHA1: SHA-1 hash of the malicious file (malicious file download only).

    • impact: Impact of this event, ranging from 0-100.

    • IncidentId: Identifier of the incident related to this event.

    • IncidentImpact: Impact of the incident related to this event.

    • ResolvedDomain: Resolved destination domain.

    • URLDetailLink: Link to details about the suspicious URL.

Network IoC trigger fields

  • Predefined fields:

    • cat: Main threat associated with the network IoC.

    • deviceExternalId: Unique identifier of the appliance associated with the origin of the network IoC.

    • dhost: Domain name of the resolved network IoC. The presence of a domain name together with an IP address is used to keep track of whether the IP address comes from a DNS resolution.

    • dst: Either a domain name or an IP address of the destination.

    • end: Last time reputation information has been updated.

    • start: Origin time of the network IoC.

  • Custom fields:

    • additionalThreats: Additional threats associated with the network IoC.

    • attributes: Additional attributes associated with the network IoC.

    • detectionDetailLink: Link to the origin of the network IoC in the User Portal.

    • detectionId: Unique identifier of the network IoC.

    • detectionType: Origin of the network IoC.

    • impact: Impact of the network IoC.

Test trigger fields

  • Predefined fields:

    • devTime: Timestamp of the event.

    • devTimeFormat: Format of "devTime" (MMM dd yyyy HH:mm:ss z).

    • externalId: Unique identifier for the test.

  • Custom fields:

    • impact: Impact of this event. Always 10 for tests.

    • notification_config_id: Unique identifier for the notification configuration.

Log Event Extended Format

A LEEF log message is composed of an optional syslog header, a LEEF header, and a collection of attributes, either for a predefined or custom-defined set, describing the event.

Note:

The ^ (caret) and | (pipe) characters should be avoided in LEEF notifications. They could be interpreted as the default delimiters and cause parsing issues. To prevent this, ^ and | are encoded as \x5E and \x7C respectively in VMware NSX Network Detection and Response SIEM notifications.

Header

The structure of the syslog plus LEEF headers remains the same for all types of trigger. It is in the following structure:

date origin_host LEEF:LEEF_version|vendor|product|version|event_id

  • date Date of the notification generation in MMM dd HH:mm:ss format.

  • origin_host Source of the SIEM notification.

  • LEEF_version Version of LEEF, currently "1.0".

  • vendor Name of the vendor (for example, "NSX").

  • product Name of the product (for example, "Defender").

  • version Version of the application sending the syslog message (for example, "9.0").

  • event_id A unique identifier of the reported event type. The following lists values for each event:

    • Appliance status events: appliance-status

    • Audit events: audit-event

    • Intrusion events: intrusion-event

    • Mail events:

      • email-attachment Detection of a malicious email from an email attachment.

      • email-message Detection of a malicious email based on a message characteristic.

      • email-url Detection of a malicious email based on a URL.

    • Network events:

      • dga-activity-domain

      • dga-activity-pattern

      • dns-anomaly

      • dns-resolution

      • file-download

      • http-anomaly

      • krb-anomaly

      • netflow-anomaly

      • network-connection

      • nta-rule-match

      • profile-match

      • signature-match

      • sinkhole-resolution

      • smb-anomaly

      • suspicious-url

      • tls-anomaly

    • Network IoC events:

      • network-ioc-domain

      • network-ioc-ip

Event attributes

The event attributes contained in the SIEM message depend on the type of event:

Appliance trigger fields

  • Predefined fields:

    • cat: Category, the name of the component that sent the message. Possible values are described in the Appliance trigger fields list.

    • deviceExternalId: Unique ID of the appliance.

    • devTime: Timestamp of the event.

    • devTimeFormat: Format of "devTime" (MMM dd yyyy HH:mm:ss z).

    • sev: Severity, an integer ranging from 0 to 10, reflects the importance of the event.

    • src: IP address of the appliance.

  • Custom fields:

    • deviceFacility: Detailed name of the component (message event only). Possible values are described in the Appliance trigger fields list.

    • deviceStatusLink: Link to the status page of this appliance.

    • deviceType: The type of appliance.

    • dvchost: Fully qualified domain name of the appliance.

    • impact: Impact of this event, ranging from 0-100 (message event only).

    • msg: The actual message being sent by the component (message event only).

    • msgIdentifier: Identifier of the appliance message (message event only). Possible values are described in the Appliance trigger fields list.

Audit trigger fields

  • Predefined fields:

    • accountName: Customer to which the action refers.

    • cat: Category of the audit action, currently one of:

      • configuration: Appliance related actions.

      • registration: Account/customer/license related actions.

    • desc: Extended description of the audit action.

    • deviceExternalId: Unique ID of the manager appliance (On-Premises only).

    • devTime: Timestamp of the event.

    • devTimeFormat: Format of "devTime" (MMM dd yyyy HH:mm:ss z).

    • sev: Severity, an integer ranging from 0 to 10, reflects the importance of the event.

    • src: IP address of the user that performed this action.

    • usrName: User that performed this action.

  • Custom fields:

    • AffectedEntityType: The type of the object affected by this action (for example, "license", "account", "appliance").

    • AffectedEntityID: Identifier of the object affected by this action (for example, license key, name of the account, UUID of the appliance).

    • AuditActionType: The type of the audit action, some possible values are described in the Audit action field list.

    • ConfiguredSoftwareVersion: The version of the software that has been reconfigured (appliance_upgraded events).

    • EventDetailLink: Link to details about this action on the User Portal.

    • externalId: ID of the audit event.

    • impact: Impact of this event, ranging from 0-100.

Intrusion trigger fields

  • Predefined fields:

    • desc: Returns either "Created intrusion" or "Updated intrusion".

    • deviceExternalId: Obfuscated identifier of the appliance.

    • devTime: Timestamp of the event.

    • devTimeFormat: Format of "devTime" (MMM dd yyyy HH:mm:ss z).

    • sev: Severity, an integer ranging from 0 to 10; always 10.

    • src: A sequence of each host with the threats and attack stages associated with it.

    • url: A URL that links directly to the intrusion in the User Portal.

  • Custom fields:

    • affectedHosts: Number of affected hosts in the intrusion.

    • correlationRule: The correlation rule that defines the event, if any.

    • externalId: Unique identifier of the intrusion.

    • intrusionName: The name of the intrusion.

    • mostAdvancedAttackStage: The most advanced attack stage.

    • msg: Detailed information about the intrusion event (for example, "Correlated 3 incidents into an intrusion").

    • nrMalware: Number of distinct threats in the intrusion.

    • reason: The reason behind the intrusion event.

Mail trigger fields

  • Predefined fields:

    • desc: Description of the event (for example, "Suspicious Email Attachment").

    • deviceExternalId: Obfuscated identifier of the appliance.

    • devTime: Timestamp of the event.

    • devTimeFormat: Format of "devTime" (MMM dd yyyy HH:mm:ss z).

    • sev: Severity, an integer ranging from 0 to 10, reflects the importance of the event.

    • usrName: Recipients of the email message.

  • Custom fields:

    • act: Action taken in response to this event. Some of the possible values are described in the Mail event action list.

    • EmailSubject: Subject of the email message.

    • EventDetailLink: Link to details about this event on the User Portal.

    • fileCategory: Category of the malicious attachment (malicious attachment only).

    • FileDetailLink: Link to details about the malicious attachment on the User Portal (malicious attachment only).

    • fileHash: MD5 hash of the malicious attachment (malicious attachment only).

    • fileSHA1: SHA-1 hash of the malicious attachment (malicious attachment only).

    • fileType: Type of the malicious attachment (malicious attachment only).

    • fname: Name of the malicious attachment (malicious attachment only).

    • fsize: Size of the malicious attachment (malicious attachment only).

    • impact: Impact of this event, ranging from 0-100.

    • mailUrl: Malicious URL found in the mail message (malicious URL only).

    • mailUrlHash: MD5 hash of the malicious URL (malicious URL only).

    • messageID: ID of the email message.

    • Sender: Sender of the email message.

Network trigger fields

A notification can include information about PCAPs related to the network event. If multiple PCAPs are available for a single event, multiple notifications are sent for the event, each with different PCAP information.

  • Predefined fields:

    • cat: Information about the event malware in the form "malware class name/malware name".

    • desc: Description of the event (for example, "Suspicious DNS Resolution").

    • deviceExternalId: Obfuscated identifier of the appliance.

    • devTime: Timestamp of the event.

    • devTimeFormat: Format of "devTime" (MMM dd yyyy HH:mm:ss z).

    • dst: Destination IP address of the event.

    • proto: Transport layer protocol used by the event.

    • sev: Severity, an integer ranging from 0 to 10, reflects the importance of the event.

    • src: Source IP address of the event.

    • srcMAC: Source MAC address of the event.

    • usrName: String representation of the list of users that were logged on at the time of the event.

  • Custom fields:

    • act: Action taken in response to this event.

    • cnt: Number of occurrences of this event.

    • detectionId: String representing the concatenation of threat, activity, and detector id.

    • dhost: Destination hostname of the event.

    • EventDetailLink: Link to details about this event on the User Portal.

    • EventUrl: URL of the network event. In case of a file download this will be the URL the file was downloaded from. Otherwise it will be the URL directly associated with the network event.

    • externalId: Identifier of the event.

    • fileCategory: Category of the malicious file (malicious file download only).

    • FileDetailLink: Link to details about the malicious file on the User Portal (malicious file download only).

    • fileHash: MD5 hash of the malicious file (malicious file download only).

    • fileSHA1: SHA-1 hash of the malicious file (malicious file download only).

    • fileType: Type of the malicious file (malicious file download only).

    • fname: Name of the malicious file (malicious file download only).

    • fsize: Size of the malicious file (malicious file download only).

    • impact: Impact of this event, ranging from 0-100.

    • IncidentClass: Name of the threat family related to the incident.

    • IncidentId: Identifier of the incident related to this event.

    • IncidentImpact: Impact of the incident related to this event.

    • IncidentMalware: Name of the threat related to the incident.

    • malware: The name of the detected threat.

    • msg: Comment on the intelligence entry (if this particular event is due to a hit on custom intelligence).

    • reason: Name of the source (if this particular event is due to a hit on custom intelligence).

    • ResolvedDomain: Resolved destination domain.

    • URLDetailLink: Link to details about the suspicious URL.

  • PCAP fields

    • pcapBody: Raw binary content of the traffic capture, base64 encoded (might be truncated if too long).

    • pcapDstIp: Destination IPV4 address of the PCAP.

    • pcapDstPort: Destination port of the PCAP.

    • pcapFailedConnections: Number of failed connections from the PCAP.

    • pcapHosts: List of contacted hostnames from the PCAP.

    • pcapId: Identifier of the PCAP related to this event.

    • pcapInBytes: Number of bytes received.

    • pcapOutBytes: Number of bytes sent.

    • pcapProtocols: List of protocols.

    • pcapSrcIp: Source IPV4 address of the PCAP.

    • pcapSrcPort: Source port of the PCAP.

    • pcapStartTime: Start time of the PCAP.

    • pcapSuccessfulConnections: Number of successful connections from the PCAP.

    • pcapThreats: List of threats involved in this PCAP.

    • pcapUrls: List of URLs associated with this PCAP.

Network IoC trigger fields

  • Predefined fields:

    • cat: Main threat associated with the network IoC.

    • desc: Description of the type for the network IoC. Either "Network IoC IP" or "Network IoC domain".

    • devTime: Timestamp of the event.

    • devTimeFormat: Format of "devTime" (MMM dd yyyy HH:mm:ss z).

    • deviceExternalId: Unique identifier of the appliance associated with the origin of the network IoC.

    • dhost: Domain name of the resolved network IoC. The presence of a domain name together with an IP address is used to keep track of whether the IP address comes from a DNS resolution.

    • dst: Either a domain name or an IP address of the destination.

    • externalId: Unique identifier of the network IoC.

    • sev: Severity, an integer ranging from 0 to 10, reflects the importance of the network IoC.

  • Custom fields:

    • additionalMalware: Additional threats associated with the network IoC.

    • ApplianceName: Name of the sensor associated with the origin of the network IoC.

    • impact: Impact of the network IoC.

    • lastUpdate: Last time reputation information was updated.

    • license: Unique identifier of the appliance associated with the origin of the network IoC.

    • malware: Main threat associated with the network IoC.

    • metadata: Additional attributes associated with the network IoC.

    • triggerType: Type of trigger.

    • url: Link to the origin of the network IoC in the User Portal.

Test trigger fields

  • Predefined fields:

    • desc: Description of the event (for example, "User triggered test event").

    • devTime: Timestamp of the event.

    • devTimeFormat: Format of "devTime" (MMM dd yyyy HH:mm:ss z).

    • externalId: Unique identifier for the test.

    • impact: Impact of this event. Always 10 for tests.

  • Custom fields:

    • notification_config_id: Unique identifier for the notification configuration.

Configure the User Portal

Configure the sending of syslog notifications to a SIEM server from the User Portal.

  1. Login to the Web UI

    Using your Web browser, login to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) for a hosted deployment or the Manager Web UI for an On-Premises installation.

  2. Navigate to the Syslog tab

    From the Main navigation menu, click Admin. On the Admin page, select Notifications from left sidebar menu. Then on the Notifications page, click Syslog.

  3. Create a syslog notification

    Click the plus icon to add a notification.

  4. Configure the notification

    The Create Syslog Notification form is comprised of three sections:

    1. Common settings: select the appliance, limits, and timezone.

    2. SIEM server settings: hostname, protocol, and log format.

    3. Triggers: the events that send notifications.

    1. Select an appliance

      In the Appliance block, select a License from the pull-down menu. Choose from All licenses (selects all sensors), All sensors, or select a specific license. Then from the Sensor pull-down menu, select All sensors for the chosen license or any specific sensor.

    2. Select a daily limit

      In the Daily limit box, select the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.

    3. Set the timezone

      In the Timezone box, set the timezone by which daily limits are computed. The selected timezone does not need to be the same as the system timezone.

    4. Enable the notification

      By default, the notification is enabled when you save. Click the Enabled button to toggle this setting.

    5. Define the SIEM server

      In the SIEM server block, enter the hostname/IP address of the SIEM server in the Location. Enter the port number the SIEM server will be listening on for messages in the Port box.

      This is the SIEM system that notifications will be sent to.

    6. Define the SIEM hostname

      Enter a hostname in the SIEM Hostname box. This is the source of the SIEM notification. This hostname is inserted into the prefix of the message.

    7. Select a transport protocol

      From the Transport protocol pull-down menu, select either TCP or UDP. The default is UDP.

    8. Select the SIEM source

      From the SIEM source pull-down menu, select either Manager or Sensor. This is the source of the SIEM logs in your network.

      Selecting Manager allows you to centralize your log source at the Manager.

      Selecting Sensor allows you to distribute the log source across your network to the Sensor that generated the alert.

      Note:

      Typically, the members of a Sensor Group all belong to the same license. The recommended method is to apply the notification parameters to the license. Alternatively, you must individually configure the notification parameters for each Sensor in the Sensor Group. Using the group to configure notifications for a set of Sensor appliances is not supported.

    9. Select the log format

      From the SIEM log format pull-down menu, select either CEF or LEEF.

      If you select LEEF, the Include pcap block appears. If Enabled, PCAP information will be included with the notification for network events.

      PCAP is only available with LEEF and is disabled by default.

    10. Select the triggers

      Select the appropriate triggers for the notification. These are the default settings:

      Appliance triggers

      Appliance triggers are set to Enabled.

      Audit triggers

      Audit triggers are set to Disabled.

      Network triggers

      Network triggers are set to Enabled.

      Intrusion triggers

      Intrusion triggers are set to Disabled.

      Mail triggers

      Mail triggers are set to Enabled.

      Network IoC triggers

      Network IoC triggers are set to Enabled.

      Intelligence triggers

      Intelligence triggers are set to Disabled. These triggers are only available when All licenses is selected.

      See the topic About notification triggers in the User Portal on-line help for further details.

  5. Save the notification

    Once the notification is properly configured, click the Save button to apply your changes. The Syslog notification configuration summary pop-up is displayed. When you close it, the Syslog notifications list is displayed.

Test Syslog Integration

Test that the Syslog Integration on the User Portal has been correctly configured.

  1. Configure the SIEM server

    Configure rsyslog on the server that will receive the SIEM notifications.

  2. Generate a trigger request

    On the User Portal, navigate to the Syslog tab. Click the heartbeat/test icon in the appropriate row of the Syslog notifications list to send a test notification.

    Alternatively, you can manually generate a request that will trigger one of the configured events. For example:

    $ curl test.lastline.com
  3. Check the destination server

    On the destination server, check that the request was correctly received.

  4. Check the User Portal

    On the User Portal, an entry for the SIEM notification will be displayed regardless of success or failure.

    Navigate to Admin Appliances Logs Monitoring Logs.

    Click plus to expand the Filters widget. Select "Component" from the pull-down menu to add the Component item. Select "Notification Delivery Service" from its pull-down menu.

    In the monitoring log, look for "SIEM Server Status" in the Type column. It will contain details about the notification delivery.

Configure Syslog Streaming

In addition to sending syslog notifications to a SIEM server when matching events are triggered, you can also configure the system to stream the operating system logs from the Ubuntu server hosting the appliance to the remote server. This feature streams all files from the /var/logs directory (such as auth.log, kernel.log, etc.). It can be used for enhanced security. For example, by setting a policy of using sudo to run privileged commands combined with syslog streaming, the history of all privileged commands run on the system will be logged to the remote log server.

Note:

You do not need to use the same destination server for both event monitoring and operating system logs.

  1. Login to the Web UI

    Using your Web browser, login to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) for a hosted deployment or the Manager Web UI for an On-Premises installation.

  2. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select an appliance from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the desired appliance, click the Quick links button, and select Configuration from the pull-down menu.

  3. Select System and set the streaming option

    On the Configuration: System tab, set Syslog streaming to Enabled (by default, it is disabled).

    Define at least one destination server in the displayed Syslog Destinations list. For each destination, select the Protocol (UDP or TCP) then enter a Host (IP address or FQDN) and Port (default is port 514).

    You can use the Actions to delete the entry (click delete ) or reset the port (click reload ).

  4. Save the configuration change

    Click the Save and deploy button. Otherwise click Cancel to discard any changes.

    Note:

    The User Portal displays a pop-up prompt to prevent you from navigating away with unsaved changes.

On the destination server, check that the system logs were correctly received. If the configuration was successful, you should see something like the following:

root@ubuntu# grep -i lastline /var/log/syslog

Feb 13 10:08:44 lastline-sensor rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="51310" x-info="http://www.rsyslog.com"] start
Feb 13 10:08:44 lastline-sensor rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
Feb 13 10:08:44 lastline-sensor rsyslogd-2307: message repeated 2 times: [warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]]
Feb 13 10:08:44 lastline-sensor rsyslogd: rsyslogd's groupid changed to 104
Feb 13 10:08:44 lastline-sensor rsyslogd: rsyslogd's userid changed to 101
Feb 13 10:09:12 lastline-sensor kernel: [ 1583.964090] init: suricata-lastline main process (1541) killed by KILL signal
Feb 13 10:11:18 lastline-sensor llpsv: Worker process 2430 terminated with status 0
Feb 13 10:11:18 lastline-sensor llpsv: Child terminated normally
Feb 13 10:11:20 lastline-sensor llpsv: Started worker process 58163
...

Notifications Examples

Some examples of syslog notifications for each trigger category.

Appliance event notifications

Example of a notification reporting that an appliance is online.

CEF:

Jan 13 14:22:17 test1 CEF: 0|Lastline|Defender|9.0|appliance-status|Appliance Status|1|cat=Online cs1=SENSOR cs1Label=deviceType cs2=https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7 cs2Label=deviceStatusLink deviceExternalId=0284f6fcf42f4e859499f00bc00c19a7 dvc=192.168.1.52 dvchost=lastline-sensor.lastline.local end=Jan 13 2015 14:22:17 UTC rt=Jan 13 2015 14:22:17 UTC start=Jan 13 2015 14:22:17 UTC

LEEF:

Jan 13 14:22:17 test2 LEEF: 1.0|Lastline|Defender|9.0|appliance-status|cat=Online\t"devTime=Jan 13 2015 14:22:17 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=0284f6fcf42f4e859499f00bc00c19a7\tdeviceStatusLink=https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7\tdeviceType=SENSOR\tdvchost=lastline-sensor.lastline.local\tsev=1\tsrc=192.168.1.52

Example of a notification reporting that an appliance is offline.

CEF:

Jan 13 15:30:46 test1 CEF: 0|Lastline|Defender|9.0|appliance-status|Appliance Status|4|cat=Offline cs1=SENSOR cs1Label=deviceType cs2=https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7 cs2Label=deviceStatusLink deviceExternalId=0284f6fcf42f4e859499f00bc00c19a7 dvc=192.168.1.52 dvchost=lastline-sensor.lastline.local end=Jan 13 2015 15:30:46 UTC rt=Jan 13 2015 14:30:46 UTC start=Jan 13 2015 15:30:46 UTC

LEEF:

Jan 13 15:30:46 test2 LEEF: 1.0|Lastline|Defender|9.0|appliance-status|cat=Offline\tdevTime=Jan 13 2015 14:30:46 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=0284f6fcf42f4e859499f00bc00c19a7\tdeviceStatusLink=https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7\tdeviceType=SENSOR\tdvchost=lastline-sensor.lastline.local\tsev=4\tsrc=192.168.1.52

Example of a notification reporting the successful upload of email metadata.

CEF:

Jan 13 14:23:14 test1 CEF: 0|Lastline|Defender|9.0|appliance-status|Appliance Status|1|cat=Email Analysis Service cn1=10 cn1Label=impact cs1=SENSOR cs1Label=deviceType cs2=https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7 cs2Label=deviceStatusLink cs3=llmail.sharduploader.upload cs3Label=msgIdentifier deviceExternalId=0284f6fcf42f4e859499f00bc00c19a7 deviceFacility=Email metadata uploader dvc=192.168.1.52 dvchost=lastline-sensor.lastline.local end=Jan 13 2015 14:21:18 UTC msg=Successful upload of email metadata rt=Jan 13 2015 14:21:18 UTC start=Jan 13 2015 14:21:18 UTC

LEEF:

Jan 13 14:23:14 test2 LEEF: 1.0|Lastline|Defender|9.0|appliance-status|cat=Email Analysis Service\tdevTime=Jan 13 2015 14:21:18 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=0284f6fcf42f4e859499f00bc00c19a7\tdeviceFacility=Email metadata uploader\tdeviceStatusLink=https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7\tdeviceType=SENSOR\tdvchost=lastline-sensor.lastline.local\timpact=10\tmsg=Successful upload of email metadata\tmsgIdentifier=llmail.sharduploader.upload\tsev=1\tsrc=192.168.1.52

Audit event notification

Example of a notification triggered by the creation of a license.

CEF:

Jan 13 12:24:59 testhost CEF:0|Lastline|Defender|9.0|audit-event|New license generated|1|cat=registration cn1=10 cn1Label=impact cs1=license cs1Label=AffectedEntityType cs2=AXYAAXYAAXYAAXYAAXYA cs2Label=AffectedEntityID cs3=https://user.lastline.local/settings#/audit/a/2015-11-24/2015-11-26?audit_event_id%3d15 cs3Label=EventDetailLink cs4=license_created cs4Label=AuditActionType duser=test@fake.bet externalId=15 src=192.168.0.1 start=Nov 25 2015 12:24:59 UTC suser=test@fake.bet

LEEF:

Jan 13 12:24:59 testhost LEEF:1.0|Lastline|Defender|9.0|audit-event|AffectedEntityID=AXYAAXYAAXYAAXYAAXYA\tAffectedEntityType=license\tAuditActionType=license_created\taccountName=test@fake.bet\tcat=registration\tdesc=New license generated\tdevTime=Nov 25 2015 12:24:59 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\teventDetailLink=https://user.lastline.local/settings#/audit/a/2015-11-24/2015-11-26?audit_event_id%3d15\texternalId=15\timpact=10\tsev=1\tsrc=192.168.0.1\tusrName=test@fake.bet

Intrusion event notification

Example of a notification triggered for an intrusion.

CEF:

Jul 23 17:45:20 test1 CEF:0|Lastline|Defender|9.0|intrusion-event|Updated intrusion|10| cn1=1 cn1Label=affectedHosts cs2=bad stuff cs2Label=intrusionName cat=Command and Control deviceExternalId=3287884757:3459119816 deviceFacility=C&C Rule dvc=1.2.3.4 end=Feb 01 2018 15:16:17 UTC externalId=0284f6fcf42f4e859499f00bc00c19a7 cs1=https://do.no.connect/portal#/campaigns/details/0284f6fcf42f4e859499f00bc00c19a7?customer=mannimarcocs%40oblivion.bet cs1Label=intrusionDetailLink cn2=1 cn2Label=nrMalware msg=Added detection information: hosts: 1.2.3.4; malware: Upatre Public IP Check reason=Detected Command&Control traffic indicating that 2 hosts are infected with malware Upatre Public IP Check start=Jan 07 2018 20:01:02 UTC devTime=Dec 12 2012 00:00:00 UTC devTimeFormat=MMM dd yyyy HH:mm:ss z

LEEF:

Jul 23 17:45:20 test2 LEEF:1.0|Lastline|Defender|9.0|intrusion-event|affectedHosts=1\tcorrelationRule=C&C Rule\tdesc=Updated intrusion\tdeviceExternalId=3287884757:3459119816\texternalId=0284f6fcf42f4e859499f00bc00c19a7\tintrusionName=bad stuff\tnrMalware=1\tmostAdvancedAttackStage=Command and Control\tmsg=Added detection information: hosts: 1.2.3.4; malware: Upatre Public IP Check reason=Detected Command&Control traffic indicating that 2 hosts are infected with malware Upatre Public IP Check\tsev=10\tsrc=1.2.3.4\timpact=100\turl=https://do.no.connect/portal#/campaigns/details/0284f6fcf42f4e859499f00bc00c19a7?customer=mannimarco%40oblivion.bet\tdevTime=Dec 12 2012 00:00:00 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z

Mail event notifications

Examples of a notifications after the detection of a malicious mail attachment.

CEF:

Jan 13 14:26:20 test1 CEF:0|Lastline|Defender|9.0|email-attachment|Suspicious Email Attachment|10|cn1=100 cn1Label=impact cs1=Test cs1Label=EmailSubject cs2=b89c9140637e49219d464b8f90eab8f7 cs2Label=MessageID cs3=Pdf cs3Label=fileCategory cs4=e1a1dcfefa8c96723d5f7816f0e991a0a01b5f0a cs4Label=fileSHA1 cs5=https://user.lastline.local/malscape/#/task/d4ed2a4fcc454e82adc57d7d304b7fe3 cs5Label=FileDetailLink cs6=https://user.lastline.local/mail/message#/3287884757/3459119816/9552?mail_time=2016-03-21 cs6Label=EventDetailLink deviceExternalId=3053322414:602745899 duser=<test@example.com> end=Jan 13 2015 14:26:20 UTC fileHash=5e2eceec69c9ef5435298abc1d10624b fileType=PDF document fname=5e2eceec69c9ef5435298abc1d10624b fsize=5984 start=Jan 13 2015 14:26:20 UTC suser=fake@example.com

LEEF:

Jan 13 14:26:20 test2 LEEF:1.0|Lastline|Defender|9.0|email-attachment|EventDetailLink=https://user.lastline.local/mail/message#/3287884757/3459119816/9552?mail_time=2016-03-21\tFileDetailLink=https://user.lastline.local/malscape/#/task/d4ed2a4fcc454e82adc57d7d304b7fe3\tSender=fake@example.com\tdesc=Suspicious Email Attachment\tdevTime=Jan 13 2015 14:26:20 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=3053322414:602745899 emailSubject=Test\tfileCategory=Pdf\tfileHash=5e2eceec69c9ef5435298abc1d10624b\tfileSHA1=e1a1dcfefa8c96723d5f7816f0e991a0a01b5f0a\tfileType=PDF document\tfname=5e2eceec69c9ef5435298abc1d10624b\tfsize=5984\timpact=100\tmessageID=b89c9140637e49219d464b8f90eab8f7\tsev=10\tusrName=<test@example.com>

Examples of a notifications after the detection of a malicious URL in a mail message.

CEF:

Nov 25 13:53:13 testhost CEF:0|Lastline|Defender|9.0|email-url|Suspicious Email Url|9|cn1=99 cn1Label=impact cs1=TEST EMAIL! cs1Label=EmailSubject cs2=e45t4751945e49219d464b8p43maw9r4 cs2Label=MessageID cs3=http://www.evil.fake cs3Label=mailUrl cs4=2be456f055282b7dc6d6b0f002a52dad cs4Label=mailUrlHash deviceExternalId=3287884757:3459119816 duser=<test@example.com> end=Nov 25 2015 13:53:13 UTC start=Nov 25 2015 13:53:13 UTC suser=fake@example.com

LEEF:

Nov 25 13:53:13 testhost LEEF:1.0|Lastline|Defender|9.0|email-url|ApplianceName=sensor01\tSender=fake@example.com\tdesc=Suspicious Email Url\tdevTime=Nov 25 2015 13:53:13 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=3287884757:3459119816\temailSubject=TEST EMAIL!\timpact=99\tmailUrl=http://www.evil.fake\tmailUrlHash=2be456f055282b7dc6d6b0f002a52dad\tmessageID=e45t4751945e49219d464b8p43maw9r4\tsev=9\tusrName=<test@example.com>

Example of a notification after the detection of a malicious mail message.

CEF:

Jan 13 23:32:33 testhost CEF:0|Lastline|Defender|9.0|email-message|Suspicious Email Message|8|act=LOG cat=drive-by/Mebroot cn1=80 cn1Label=impact cs1=TEST EMAIL! cs1Label=EmailSubject cs2=e45t4751945e49219d464b8p43maw9r4 cs2Label=MessageID cs3=https://do.no.connect/portal#/mail/message/3287884757/3459119816/9359?date=2019-09-09 cs3Label=EventDetailLink deviceExternalId=3287884757:3459119816 duser=<test@example.com> end=Sep 09 2019 23:32:33 UTC start=Sep 09 2019 23:32:33 UTC suser=fake@example.com

LEEF:

Jan 13 23:32:33 testhost LEEF:1.0|Lastline|Defender|9.0|email-message|ApplianceName=sensor01\tEventDetailLink=https://do.no.connect/portal#/mail/message/3287884757/3459119816/9360?date=2019-09-09\tSender=test@example.com\tact=LOG\tcat=drive-by desc=Suspicious Email Message detectors=email_anomaly:spam_domain,email_anomaly:spam_ip\tdevTime=Sep 09 2019 23:41:12 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=3287884757:3459119816\temailSubject=TEST EMAIL!\timpact=80\tmalware=Mebroot\tmessageID=a=unique=message_id\tsev=8\tusrName=test@lastline.com

Network event notifications

Example of a notification triggered by the detection of a malicious file download.

CEF:

Jan 13 14:29:53 test1 CEF: 0|Lastline|Defender|9.0|file-download|Suspicious File Download|10|act=LOG cat=Malicious File Download/Malicious Document Download cn1=100 cn1Label=impact cn2=12 cn2Label=incidentId cn3=100 cn3Label=incidentImpact cnt=1 cs1=2535ec71:30fbe7df:e52cff2b cs1Label=detectionId cs2=https://user.lastline.local/event#/3053322414/602745899/2?event_time%3d2015-08-18 cs2Label=EventDetailLink cs3=http://127.0.0.2/5e2eceec69c9ef5435298abc1d10624b.pdf cs3Label=EventUrl cs4=Pdf cs4Label=fileCategory cs5=e1a1dcfefa8c96723d5f7816f0e991a0a01b5f0a cs5Label=fileSHA1 cs6=https://user.lastline.local/malscape/#/task/d4ed2a4fcc454e82adc57d7d304b7fe3 cs6Label=FileDetailLink deviceExternalId=3053322414:602745899 dhost=127.0.0.2 dpt=80 dst=127.0.0.2 end=Jan 13 2015 14:27:56 UTC externalId=2 fileHash=5e2eceec69c9ef5435298abc1d10624b fileType=PDF document fname=/5e2eceec69c9ef5435298abc1d10624b.pdf fsize=5984 proto=TCP src=127.0.0.1 start=Jan 13 2015 14:27:56 UTC

LEEF:

Jan 13 14:29:53 test2 LEEF: 1.0|Lastline|Defender|9.0|file-download|EventDetailLink=https://user.lastline.local/event#/3053322414/602745899/2?event_time%3d2015-08-18\tEventUrl=http://127.0.0.2/5e2eceec69c9ef5435298abc1d10624b.pdf\tFileDetailLink=https://user.lastline.local/malscape/#/task/d4ed2a4fcc454e82adc57d7d304b7fe3\tact=LOG\tcat=Malicious File Download\tcnt=1\tdesc=Suspicious File Download\tdetectionId=2535ec71:30fbe7df:e52cff2b\tdevTime=Jan 13 2015 14:27:56 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=3053322414:602745899\tdhost=127.0.0.2\tdst=127.0.0.2\tdstPort=80\texternalId=2\tfileCategory=Pdf\tfileHash=5e2eceec69c9ef5435298abc1d10624b\tfileSHA1=e1a1dcfefa8c96723d5f7816f0e991a0a01b5f0a\tfileType=PDF document\tfname=/5e2eceec69c9ef5435298abc1d10624b.pdf\tfsize=5984\timpact=100\tmalware=Malicious Document Download\tproto=TCP\tsev=10\tsrc=127.0.0.1\tincidentId=12\tincidentImpact=100\tIncidentMalware=Malicious Document Download\tIncidentClass=Malicious File Download

Example of a notification reporting the detection of a suspicious network connection.

CEF:

Jan 13 14:34:30 test1 CEF: 0|Lastline|Defender|9.0|network-connection|Suspicious Network Connection|0|act=LOG cat=Lastline test/Lastline test cn1=1 cn1Label=impact cn2=13 cn2Label=incidentId cn3=1 cn3Label=incidentImpact cnt=1 cs1=fc900ff8:30fbe7df:30fbe7df cs1Label=detectionId cs2=https://user.lastline.local/event#/3053322414/602745899/3?event_time%3d2015-08-18 cs2Label=EventDetailLink cs3=http://test.lastline.com cs3Label=EventUrl deviceExternalId=3053322414:602745899 dhost=test.lastline.com dpt=80 dst=52.5.237.96 end=Jan 13 2015 14:32:27 UTC externalId=3 proto=TCP smac=08:00:27:00:c9:7a src=192.168.1.52 start=Jan 13 2015 14:32:27 UTC

LEEF:

Jan 13 14:34:30 test2 LEEF: 1.0|Lastline|Defender|9.0|network-connection|EventDetailLink=https://user.lastline.local/event#/3053322414/602745899/3?event_time%3d2015-08-18\tact=LOG\tcat=Lastline test\tcnt=1\tdesc=Suspicious Network Connection\tdetectionId=fc900ff8:30fbe7df:30fbe7df\tdevTime=Jan 13 2015 14:32:27 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=3053322414:602745899 dst=52.5.237.96\tdstPort=80\texternalId=3\timpact=1\tmalware=Lastline test\tproto=TCP\tsev=0\tsrc=192.168.1.52\tsrcMAC=08:00:27:00:c9:7a\tEventUrl=http://test.lastline.com\tincidentId=13\tincidentImpact=1\tIncidentMalware=Lastline test\tIncidentClass=Lastline test

Example of a notification triggered by a suspicious DNS resolution.

CEF:

Jan 13 14:34:58 test1 CEF: 0|Lastline|Defender|9.0|dns-resolution|Suspicious DNS Resolution|0|act=LOG cat=Lastline test/Lastline test cn1=1 cn1Label=impact cn2=14 cn2Label=incidentId cn3=1 cn3Label=incidentImpact cnt=2 cs1=fc900ff8:30fbe7df:30fbe7df cs1Label=detectionId cs2=https://user.lastline.local/event#/3053322414/602745899/4?event_time%3d2015-08-18 cs2Label=EventDetailLink cs3=test.lastline.com cs3Label=ResolvedDomain cs4=http://test.lastline.com cs4Label=EventUrl deviceExternalId=3053322414:602745899 dpt=53 dst=192.168.1.1 end=Jan 13 2015 14:32:27 UTC externalId=4 proto=UDP smac=08:00:27:00:c9:7a src=192.168.1.52 start=Jan 13 2015 14:32:27 UTC

LEEF:

Jan 13 14:34:58 test2 LEEF: 1.0|Lastline|Defender|9.0|dns-resolution|EventDetailLink=https://user.lastline.local/event#/3053322414/602745899/4?event_time%3d2015-08-18\tResolvedDomain=test.lastline.com\tact=LOG\tcat=Lastline test\tcnt=2\tdesc=Suspicious DNS Resolution\tdetectionId=fc900ff8:30fbe7df:30fbe7df\tdevTime=Jan 13 2015 14:32:27 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=3053322414:602745899\tdst=192.168.1.1\tdstPort=53\texternalId=4\timpact=1\tmalware=Lastline test\tproto=UDP\tsev=0\tsrc=192.168.1.52\tsrcMAC=08:00:27:00:c9:7a\tEventUrl=http://test.lastline.com\tincidentId=14\tincidentImpact=1\tIncidentMalware=Lastline test\tIncidentClass=Lastline test

Example of a notification for a network event including information about the related PCAP. The PCAP body truncated for brevity reasons.

LEEF:

Apr 22 13:41:30 testhost LEEF:1.0|Lastline|Enterprise|7.2|dns-resolution|ApplianceName=sensor01\tEventDetailLink=https://user.lastline.local/event#/3287884757/3459119816/1787?event_time=2012-12-11\tEventUrl=http://example.com\tact=LOG\tcat=Testing Class\tcnt=1\tdesc=Suspicious DNS Resolution\tdetectionId=c90de0dd:d0051f96:d0051f96\tdevTime=Dec 11 2012 23:51:10 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=3287884757:3459119816\tdst=10.0.0.1\tdstPort=80\texternalId=1787\timpact=70\tmalware=Testing\tpcapDstIp=10.0.0.1\tpcapDstPort=80\tpcapBody=1MOyoQIABAAAAAAAAAAAAP//AAABAAAAI0ujQLi/BAA+AAAAPgAAAP7/IAABAAAAAQAAAAgARQAAMA9BQACABpHrkf6g7UHQ5N8NLABQOK\tpcapFailedConnections=1\tpcapHosts=www.lastline.com\tpcapId=868\tpcapInBytes=1\tpcapOutBytes=1\tpcapProtocols=TCP\tpcapSrcIp=192.168.0.1\tpcapSrcPort=23456\tpcapStartTime=2012-12-11\t23:51:10\tpcapSuccessfulConnections=1\tpcapThreats=User Threat\tpcapUrls=http://example.com\tproto=TCP\tsev=7\tsrc=192.168.0.1

Network IoC event notification

Example of a notification triggered by a network IoC event.

CEF:

Mar 02 20:54:09 testhost CEF:0|Lastline|Defender|9.0|network-ioc-ip|Network IoC IP|8|cat=command&control/Murofet cn1=80 cn1Label=impact cs1=100 cs1Label=detectionId cs2=https://do.no.connect/portal#/event/3637006069/1189538789/100?event_time\\=2019-10-10 cs2Label=detectionDetailLink cs3=network-event cs3Label=detectionType cs4=Mebroot cs4Label=additionalThreats cs5=network_class: enterprise,organisation: Google cs5Label=attributes deviceExternalId=AAAAAAAAAAAAAAAAAAAA:sensor01 dhost=evil.com dst=8.8.8.8 end=Sep 03 2019 12:07:11 UTC start=Oct 10 2019 11:52:47 UTC

LEEF:

Mar 02 20:55:25 testhost LEEF:1.0|Lastline|Defender|9.0|network-event|ApplianceName=Previct Sensor 01\tadditionalMalware=Mebroot\tcat=command&control\tdesc=Network IoC IP\tdevTime=Oct 10 2019 11:52:47 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdeviceExternalId=AAAAAAAAAAAAAAAAAAAA:sensor01\tdhost=evil.com\tdst=8.8.8.8\texternalId=100\timpact=80\tlastUpdate=Sep 03 2019 12:07:11 UTC\tlicense=AAAAAAAAAAAAAAAAAAAA:sensor01\tmalware=Murofet\tmetadata=network_class: enterprise,organisation: Google\tsev=8\ttriggerType=network-ioc-ip\turl=https://do.no.connect/portal#/event/3637006069/1189538789/100?event_time=2019-10-10

Test event notification

Examples of a notification triggered for testing.

CEF:

Jan 13 14:26:20 test1 CEF:0|Lastline|Defender|9.0|test-event|User triggered test event|1|cn1=10 cn1Label=impact cn2=37 cn2Label=notification_config_id devTime=Dec 12 2012 00:00:00 UTC devTimeFormat=MMM dd yyyy HH:mm:ss z externalId=3dc144bdb3434b1abf7a465de3f57948

LEEF:

Jan 13 14:26:20 test2 LEEF:1.0|Lastline|Defender|9.0|test-event|desc=User triggered test event\tdevTime=Dec 12 2012 00:00:00 UTC\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\timpact=10\tnotification_config_id=37\texternalId=3dc144bdb3434b1abf7a465de3f57948

Appendices

Appliance trigger fields

Possible values for appliance trigger fields:

cat msgIdentifier deviceFacility
Analysis appliance_update.analysis.anonvpn Traffic Routing
Analysis appliance_update.analysis.lladoc Document Analyzer
Analysis appliance_update.analysis.llama Windows Sandbox
Analysis appliance_update.analysis.llweb URL/PDF Sandbox
Analysis appliance_update.analysis.processing Processing
Database appliance_update.db.server Database Server
Disk Usage sys.disk.usage Disk Usage
Email Analysis appliance_update.mail.llmail Email Analysis Service
Email Analysis Service llmail.receiver Email receiver
Email Analysis Service llmail.sharduploader.upload Email metadata uploader
Email Analysis Service llmail.smtpsender-dsn.message SMTP bounce sender message status
Email Analysis Service llmail.smtpsender-dsn.server SMTP bounce sender server status
Email Analysis Service llmail.smtpsender.message SMTP sender message status
Email Analysis Service llmail.smtpsender.server SMTP sender server status
ICAP appliance_update.icap.cicap ICAP Server
IDS Service llsnifflogmon.suricata.ruleparsing.customer Customer Rule
Integrations appliance_update.integration.session_tracker Session Tracker Service
Integrations appliance_update.integrations.notification-proxy_status Notification Delivery Service
Integrations appliance_update.integrations.session_tracker Session Tracker Service
Management appliance_update.mgmt.appliance_update Lastline Update Service
Management appliance_update.mgmt.lload Load Monitoring Service
Management appliance_update.mgmt.version Version Update Service
Message Processing appliance_update.mq.broker Message Broker
Message Processing appliance_update.mq.queue_workers Message Processors
Monitoring appliance_update.monitoring.llpsv Sniffer Service
Monitoring appliance_update.monitoring.suricata IDS Service
Notification Delivery Service notification.server.checkpoint Checkpoint Server Status
Notification Delivery Service notification.server.email Email Server Status
Notification Delivery Service notification.server.httppost HTTP Server Status
Notification Delivery Service notification.server.siem SIEM Server Status
Notification Delivery Service notification.server.tipping_point TippingPoint SMS Server Status
Offline
Online
Queue Status analyst_scheduler.status.capacity_percent Analysis Queue - Load
Queue Status analyst_scheduler.status.pickup_delay Analysis Queue - Analysis Delay
Queue Status analyst_scheduler.status.tasks_queued Analysis Queue - Pending Tasks
Session Tracker Service session-tracker.wmi_query Session Tracker Query Status
System appliance_update.action.configure Configuration
System Status appliance_update.appliance_clock Appliance Clock
Threat Intelligence Replication db.monitor_slave.io Threat Intelligence Replication IO
Threat Intelligence Replication db.monitor_slave.sql Threat Intelligence Replication SQL
Traffic Routing anonymity_provider.status Traffic Routing Check
Windows Sandbox analyst_daemon.llama.configuration Sandbox Configuration Data

Audit action field

Possible values for the AuditActionType field:

Action type Description
account_blocked An account was blocked.
account_created An account was created.
account_deleted An account was deleted.
account_permission_granted A permission was granted to an account.
account_permission_revoked A permission was revoked from an account.
account_unblocked An account was unblocked.
account_updated An account's details were updated.
api_token_reset A license API token was reset.
appliance_delete_quarantined_mail_requested A quarantined mail message was deleted.
appliance_deregistered An appliance was deregistered.
appliance_disabled An appliance was disabled.
appliance_enabled An appliance was enabled.
appliance_rebooted An appliance was rebooted.
appliance_reconfigured An appliance was reconfigured.
appliance_registered An appliance was registered.
appliance_release_quarantined_mail_requested A quarantined mail message was released.
appliance_upgraded The software version of an appliance was upgraded.
customer_updated A customer's details were updated.
email_changed An account's email was updated.
failed_login A user failed to log in to an account.
homenet_updated The homenet was updated.
httppost_notification_created An HTTP POST notification configuration was created.
httppost_notification_updated An HTTP POST notification configuration was updated.
intrusion_assignee_updated The assignee of an intrusion was updated.
intrusion_state_updated The state of an intrusion was updated.
invalid_credentials A user provided invalid credentials for an account.
license_created A new license was granted.
license_updated A license's details were updated.
mail_assignee_updated The assignee of a mail message was updated.
mail_notification_created A mail notification configuration was created.
mail_notification_updated A mail notification configuration was updated.
mail_state_updated The state of a mail message was updated.
notification_deleted A notification configuration was deleted.
password_changed An account's password was updated.
password_removed An account's password was removed.
password_reset An account's password was reset.
password_reset_request A request was made to reset an account's password.
report_created A report was created.
report_deleted A report was deleted.
report_updated A report was updated.
role_created A custom role was created.
role_granted A custom role was granted to an account.
role_permission_granted A permission was granted for a custom role.
role_permission_revoked A permission was removed from a custom role.
role_revoked A role was revoked from an account.
role_updated A custom role was updated.
sensor_added A sensor was added.
sensor_updated A sensor was updated.
siem_notification_created A SIEM notification configuration was created.
siem_notification_updated A SIEM notification configuration was updated.
streaming_notification_created A streaming API notification configuration was created.
streaming_notification_updated A streaming API notification configuration was updated.
successful_login A successful login was performed for an account.
successful_logout A successful logout was performed for an account.
test_notification_sent A test notification was sent.
wmi_source_configured A WMI source was configured for session management.
wmi_source_deleted A WMI source configuration was deleted.

Mail event action

Possible values for the mail event action field:

action_name Description
BLOCK_ATTACHMENT The attachment contained in the mail message was blocked.
BLOCK_EMAIL The entire mail message was blocked.
BLOCK_URL The URL contained in the mail message was blocked.
LOG The mail event was only logged.
UNKNOWN An unknown action was taken in response to this event.
WARN A warning was issued about the content of the mail that triggered this mail event.