EventTracker v8.x and above Publication Date: June 6, 2018
Abstract This guide provides instructions to configure Saint Security Suite to send crucial events to EventTracker Enterprise by means of syslog. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 8.x and later, and Saint Security Suite version up to 9.1. Audience Saint Security Suite users, who wish to forward its events to EventTracker Manager and monitor them using EventTracker Enterprise. The information contained in this document represents the current view of EventTracker. on the issues discussed as of the date of publication. Because EventTracker must respond to changing market conditions, it should not be interpreted to be a commitment on the part of EventTracker, and EventTracker cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from EventTracker, if its content is unaltered, nothing is added to the content and credit to EventTracker is provided. EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from EventTracker, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2018 EventTracker Security LLC. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1
Table of Contents Abstract...1 Scope...1 Audience...1 Overview...3 Prerequisites...3 Integrating Saint Security Suite with EventTracker...3 Integration Prerequisites...3 API Configuration...3 API Tokens...4 Integrate Saint to EventTracker...5 Verify Saint Security Suite Integration in EventTracker...8 Verify generated credential csv...8 Verify DLA configuration...8 Verify Task is created in Task Scheduler...10 EventTracker Knowledge Pack...12 Categories...12 Flex Reports...13 Import Saint Security Suite Knowledge Pack into EventTracker...17 Import Category...17 Import Knowledge Object...18 Token Template...21 Import Flex Reports...22 Verify Saint Knowledge Pack...24 Verify Categories...24 Verify Knowledge Object...24 Token Template...25 Verify Flex Reports...26 Create Dashboards in EventTracker...27 Schedule Reports...27 Create Dashlets...30 Sample Dashboards...34 2
Overview SAINT s fully-integrated suite of assessment, analytics and reporting capabilities provide ROI by discovering a wide range of vulnerabilities and exposures to your network, end-points, content and the tools to focus resources on issues of the highest business impact. It provides comprehensive security product and service solutions to support the program development, assessment and reporting demands for many of today s industry compliance standards, to include PCI, FISMA, HIPAA, SOX and NERC CIP. EventTracker collects and analyses scanner events and enlightens an administrator about security violations, and various vulnerabilities. Prerequisites EventTracker 8.x and above should be installed. Saint Security Suite version up to 9.1 needs to be installed. PowerShell version 4.0 and above needs to be installed. Integrating Saint Security Suite with EventTracker Saint Security Suite is integrated to EventTracker with the help of Saint API using PowerShell. Below are the two prerequisites to be checked and obtained before running the PowerShell script. Integration Prerequisites API Configuration To configure the API, Log into the web interface and click on Configuration, then API. API Port by default is 4242. And in Allowed API Clients field enter * as shown below, which applies to all clients connected API. 3
Figure 1 Click on Save. API Tokens Every API call requires a token, which identifies and authenticates the user on whose behalf the call is being made. The API token for the desired user can be determined either through the graphical user interface (GUI) or through API calls. Generating API Token To generate an API token through the GUI: 1. Log into SAINT using the web interface. 2. Click on Profile. 4
Figure 2 3. If an API token has not yet been created, click Create. 4. The API token appears beside the label API Token. Tokens generated in the GUI do not expire. 5. Click on Save. Figure 3 NOTE: Make a note of the API token that is generated. It will be used in the script later on. Integrate Saint to EventTracker The Saint integrator package needs to be obtained from the EventTracker support team. The Integrator package will be obtained in a Zip file format. Extract the files to get the below contents as shown in the figure. 5
Figure 4 Right-click on the Saint Integrator.bat and run as administrator to start the integration process. Once you click the.bat, you will get a pop up window as shown in below figure: Figure 5 In the pop-up window that appeared, enter details as explained below, Saint Vulnerability Scanner Hostname: Enter only Hostname, (e.g. if the url is https://contoso.com:9394 enter only contoso.com in the Hostname field) API Token: Enter API token as shown in the above Figure 3. Once the details are entered, click on OK. Now a task scheduler trigger pop-up window appears as shown in below image: 6
Figure 6 In this task scheduler window, you need to choose how you want to schedule the Saint reports, on a Daily, Weekly or Monthly basis. Click on OK once you choose the scheduling period. Once Clicked on OK an authentication pop up window will appear asking for Username and password as shown below: Figure 7 Please enter your Administrator System Username and Password to proceed with the Task Scheduling. Click on OK to continue. 7
Figure 8 Configuration is now complete. Verify Saint Security Suite Integration in EventTracker Verify generated credential csv Once the script run is complete, the first thing that would be done is a SaintConf.csv will be created in the same path where the script is present. Saint Url and API token should be present in it. Verify DLA configuration Next step is to verify if DLA is created or not. Log in to EventTracker. Figure 9 Click on Admin tab, and in the drop down click on Manager option. In the Manager configuration page, click on Direct Log Achiever tab. Make sure Direct log file achieving from external sources checkbox is checked and click on Edit to check if the DLA configurations are done correctly. 8
Figure 10 Once that is done, go to the same folder where the script is present. You should find a folder created by the name SaintReports. Figure 11 9
Within the SaintReports folder you will find a Completed folder and Saint.ini file, which confirms that the DLA creation was successful as shown in the below figure: Figure 12 Verify Task is created in Task Scheduler Go to Start and open Task Scheduler to confirm if the scheduling action is created or not. Below given image shows the Saint Task that is created for scheduling. Figure 13 Make sure the task is created to run from the same path where the script is kept. 10
Figure 14 Check if the Task Scheduler is configured correctly with the right conditions to trigger the task, with the specified date and time that it needs to run. Also specify the time when you need the task to trigger on a daily, monthly or hourly basis. 11
Figure 15 Saint Integration is now completed with EventTracker to receive Saint Events. EventTracker Knowledge Pack Once logs are received into EventTracker, Categories and Reports can be configured into EventTracker. The following Knowledge Packs are available in EventTracker Enterprise to support Windows. Categories Saint- Vulnerability detection- This category based report provides information related to all the vulnerabilities that is detected by the Saint scanner. Saint- Vulnerability checks- This category based report provides information related to all the vulnerability checks available in Saint scanner. 12
Saint- User details- This category based report provides information related to all the user details. Saint- Policy details- This category based report provides information related to all the policy details that is set in the Saint scanner. Flex Reports Saint- Vulnerability detection - This report provides information related to all the vulnerabilities that is detected by the Saint scanner. Logs Considered: Figure 16 Figure 17 13
Saint- Vulnerability checks- This report provides information related to all the vulnerability checks available in Saint scanner. Logs Considered: Figure 18 Figure 19 14
Saint- User details- This report provides information related to all the user details, user login failure, and user permission changes. Logs Considered: Figure 20 Figure 21 Saint- Policy details- This report provides information related to all the policy details that is set in the Saint scanner. 15
Figure 22 Logs Considered: Figure 23 16
Import Saint Security Suite Knowledge Pack into EventTracker NOTE: Import knowledge pack items in the following sequence: Categories Knowledge Objects Token Templates Flex Reports NOTE: Export knowledge pack items in the following sequence: Categories Knowledge Objects Token Templates Flex Reports 1. Launch EventTracker Control Panel. 2. Double click Export Import Utility, and then click the Import tab. Import Category Figure 24 1. Click Category option, and then click the browse button. 17
Figure 25 2. Locate Saint_Categories.iscat file, and then click the Open button. 3. To import categories, click the Import button. 4. EventTracker displays success message. Figure 26 5. Click OK, and then click the Close button. Import Knowledge Object 1. Click the Admin menu, and then click Knowledge Objects. 2. Click on Import option. 18
Figure 27 3. In IMPORT pane click on Browse button. Figure 28 4. Locate Saint_Knowledge objects.etko file, and then click the UPLOAD button. 19
Figure 29 5. Now select the check box and then click on OVERWRITE option. EventTracker displays success message. 6. Click on OK button. Figure 30 20
Token Template 1. Click the Admin menu, and then click Parsing rule. 2. Select Template tab, and then click on Import option. 3. Click on Browse button. Figure 31 4. Locate Saint Templates.ettd file, and then click the Open button. Figure 32 5. Now select the check box and then click on Import option. EventTracker displays success message. 6. Click on OK button. Figure 33 21
Import Flex Reports 1. Click Reports option, and then click the browse button. 2. Locate applicable Saint Reports.etcrx file, and then click the Open button. Figure 34 3. To import scheduled reports, click the Import button. 22
Figure 35 4. EventTracker displays success message. Figure 36 5. Click OK, and then click the Close button. 23
Verify Saint Knowledge Pack Verify Categories 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Category. 3. In Category Tree to view imported categories, scroll down and expand Saint Security Suite group folder to view the imported categories. Verify Knowledge Object Figure 37 1. Click the Admin menu, and then click Knowledge Objects 2. Scroll down and select Saint in Objects pane. Imported Saint details are shown. 24
Token Template Figure 38 1. Logon to EventTracker Enterprise web interface. 2. Click the Admin menu, and then click Parsing Rules and click Template. 3. Click on Saint group option. 25
Verify Flex Reports Figure 39 1. Logon to EventTracker Enterprise. 2. Click the Reports menu, and then Configuration. 3. Select Defined in report type. 4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click Saint Security Suite group folder. Scheduled Reports are displayed in the Reports configuration pane. 26
Figure 40 NOTE: Please specify appropriate systems in report wizard for better performance. Create Dashboards in EventTracker Schedule Reports 1. Open EventTracker in browser and logon. 2. Navigate to Reports>Configuration. Figure 41 27
Figure 42 3. Select Saint Security Suite in report groups. Check Defined dialog box. 4. Click on schedule to plan a report for later execution. 28
Figure 43 5. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer box. 29
Figure 44 6. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention period. 7. Proceed to next step and click Schedule button. 8. Wait for scheduled time or generate report manually. Create Dashlets 1. EventTracker 8 is required to configure flex dashboard. 2. Open EventTracker in browser and logon. 30
Figure 45 3. Navigate to Dashboard>Flex. Flex Dashboard pane is shown. 4. Click to add a new dashboard. Flex Dashboard configuration pane is shown. Figure 46 Figure 47 31
5. Fill fitting title and description and click Save button. 6. Click to configure a new flex dashlet. Widget configuration pane is shown. Figure 48 7. Locate earlier scheduled report in Data Source dropdown. 8. Select Chart Type from dropdown. 9. Select extent of data to be displayed in Duration dropdown. 10. Select computation type in Value Field Setting dropdown. 11. Select evaluation duration in As Of dropdown. 12. Select comparable values in X Axis with suitable label. 32
13. Select numeric values in Y Axis with suitable label. 14. Select comparable sequence in Legend. 15. Click Test button to evaluate. Evaluated chart is shown. Figure 49 16. If satisfied, Click Configure button. 17. Click customize to locate and choose created dashlet. 18. Click to add dashlet to earlier created dashboard. 33
Sample Dashboards REPORT: Saint- Vulnerability detection WIDGET TITLE: Saint- Vulnerability detection CHART TYPE: Stacked Column AXIS LABELS [X-AXIS]: Host Name LEGEND [SERIES]: Vulnerability/Service Figure 50 34
REPORT: Saint- Vulnerability checks WIDGET TITLE: Saint- Vulnerability checks CHART TYPE: Donut AXIS LABELS [X-AXIS]: CVE LEGEND [SERIES]: Severity category Figure 51 35
REPORT: Saint- User details WIDGET TITLE: Saint- User details CHART TYPE: Pie AXIS LABELS [X-AXIS]: User Name LEGEND [SERIES]: Failed Logins Figure 52 REPORT: Saint- Policy details WIDGET TITLE: Saint- Policy details CHART TYPE: Stacked Column AXIS LABELS [X-AXIS]: Policy category LEGEND [SERIES]: Category Description Figure 53 36