ขั้นตอนการตั้งค่า
1. ไปที Icon 3 ขีดด้านบน > Compliance and Sharing
2. กด Details
3. ไปที่ Third-Party Platforms > Add > เลือก Protocol Syslog และกรอกข้อมูลต่างๆตามต้องการ และกด OK
ตัวอย่างการส่ง Syslog ประเภท Security Incident โดยมี Data Format รูปแบบ SEF, CEF และ LEEF
08-01-2023 00:49:23 User.Info 10.70.255.53
2023-08-01 00:49:24|!secevent|!10.70.255.53|!{"dealStatus": 0, "firstTime": 1690823326, "msg_type": "209", "scan_time": "", "ip": "192.168.11.101",
"tampered_url": "", "hostRisk": "192.168.11.101(Tenant - Arin)", "eventKey": "1145000804", "attack_state": "3", "brief": "coinminermining", "password_autofill": "",
"tag": "Access to malicious domain name (coinminer mining)", "dst_branch_name": "Internet", "detectEngine": "Cryptomining Intelligence Database",
"threat_level": 3, "dst_mac_addr": "", "sub_attack_name": "Cryptomining", "vulnerability_description": "", "scan_success": "", "src_port": "", "emergency": "important",
"sub_attack_type_name": "", "branchId": "9", "src_mac_addr": "", "directory_browsing": "", "sub_attack_type": "0", "classify1_id": 2, "domain_name": "", "rsp_email": "",
"src_ip": "192.168.11.101", "event_evidence": "Specific Intelligencehost.voiceusit.comDNS Server192.168.11.100Resolved IP[\"161.35.181.214\"]IOC Tags[\"coinminer,mining\"]",
"alert_ids": [2145000804], "role": 2, "attachment": "", "eventType": 0, "dst_branch_id": 0, "recordDate": 20230801, "src_branch_name": "Tenant - Arin", "dst_port": "",
"hostName": "DESKTOP-63NIQ0A", "phishing_link": "", "ruleId": "1145000804", "attack_time": "", "attack_count": "", "suspect_level": 3, "branch_name": "Tenant - Arin", "msg_sub_type": "3",
"downstream_traffic": "", "data_collection_size": "", "dst_ip": "161.35.181.214", "log_time": 1690825386, "upstream_traffic": "", "vulnerability_name": "", "stage": 4, "count": 10, "msg_count": "",
"server_sensative_directory": "", "session_token": "", "url": "", "scan_count": "", "event_content": "Access to malicious domain name (coinminer mining)",
"solution": "1. Fix and patch SMBv1 protocol timely or disable it, and disable WMI.2. Sangfor offers customers and users a free anti-malware software to scan for and remove the virus. Simply download it from https://active.sangfor.com/sangfor-anti-bot-tool3. Sangfor Endpoint Secure, NGAF and CCOM products are capable of detecting this virus.4. Customers of Sangfor Endpoint Secure, NGAF and CCOM products are recommended to connect to cloud-based Sangfor Neural-X, updating threat signature databases and blocking common viruses efficiently.", "email_from": "", "dst_host": "", "classify_id": 20000, "principle": "CoinMiner is a mining virus that spreads via EternalBlue vulnerabilities and WMI tools. After intruding the system by exploiting EternalBlue vulnerabilitiess, it will set a backdoor in the system and then run WMI scripts. The scripts will be connected to C&C servers to download main programs and components of the miner. It will also use WMI to stay in the system even without files, thus making itself stealthier and more difficult to be detected and removed.", "module_name": "Malicious File Infection", "email_to": "", "data_collection_time": "", "src_branch_id": 9, "src_host": ""}
Data Format แบบ SEF (Sangfor Event Format)
08-01-2023 14:30:44 User.Info 10.70.255.53 Aug 01 14:30:46 10.70.255.53 CEF:0|SANGFOR|SIP|3.0.65|1145001263|Access to malicious domain name (blackmoon trojan)|3|spt= smac= shost= dst=0.0.0.0
start=1690874238 msg=Specific Intelligencejincpay.comDNS Server192.168.11.100Resolved IP-IOC Tags["blackmoon,trojan"] src_branch_name=Tenant - Arin dmac= dst_branch_name=Internet end=1690874238 src=192.168.11.101
dpt= cn2=0 cn1=3 cs4=Access to malicious domain name (blackmoon trojan) dhost= cs1=209 cs3=1. Check whether the endpoint is a DNS server or an AD domain server (DNS proxy). If so, STA deployment may require to be changed. Please contact Sangfor technical support. 2. We recommend to use Sangfor Endpoint Secure Client for virus scan and removal: https://www.sangfor.com/product/sxf-network-security-endpoint-secure.html 3. If the virus cannot be found using the recommended tool, use third-party antivirus tools. Daily Maintenance: 1. Do not open unknown emails or attachments. 2. Update the system patch as soon as possible. You can use Windows Update or Tencent PC Manager to update. 3. Back up critical data regularly to other endpoints or storage devices. 4. Install professional security software or deploy security appliance. 5. Disable ports 139 and 445 that are used for file sharing if they are not necessary for business. 6. Set system a complex password (such as set for RDP remote desktop). cs2=1
Data Format แบบ CEF (Common Event Format)
08-01-2023 14:54:57 User.Info 10.70.255.53 Aug 01 14:54:58 10.70.255.53 LEEF:1.0|SANGFOR|SIP|3.0.65|1145000804|sev=3 dealStatus=0 firstTime=1690823326 srcMAC= srcPort= tag=Access to malicious domain name (coinminer mining)
shost= dst=0.0.0.0 sus=3 msg=Specific Intelligenceiron.tenchier.comDNS Server192.168.11.100Resolved IP-IOC Tags["coinminer,mining"] src_branch_name=Tenant - Arin infosecurity=209 dst_branch_name=Internet dstPort= infosecuritysub=3 src=192.168.11.101 dstMAC= solution=1.
Fix and patch SMBv1 protocol timely or disable it, and disable WMI.2. Sangfor offers customers and users a free anti-malware software to scan for and remove the virus. Simply download it from https://active.sangfor.com/sangfor-anti-bot-tool3. Sangfor Endpoint Secure, NGAF and CCOM products are capable of detecting this virus.4. Customers of Sangfor Endpoint Secure, NGAF and CCOM products are recommended to connect to cloud-based Sangfor Neural-X, updating threat signature databases and blocking common viruses efficiently. lastTime=1690875927 dhost=
Data Format แบบ LEEF (Long Event Extended Format)
Field Name บน Syslog (SEF) เมื่อเทียบกับหน้า GUI
เอกสารประกอบเพิ่มเติม
SANGFOR CC V3.0.65 Syslog SEF Format Description
SANGFOR CC V3.0.65 Syslog CEF Format Description
SANGFOR CC V3.0.65 Syslog LEEF Format Description
ข้อคิดเห็น
0 ข้อคิดเห็น
โปรด ลงชื่อเข้าใช้ เพื่อแสดงข้อคิดเห็น