Syslog Events to SIEM Platforms
Votiro Cloud logs can be sent to SIEM in Common Event Format (CEF) or Log Event Extended Format (LEEF).
n | Each incident that is created will generate a Sanitization summary Syslog message. |
n | When an incident of an archive or eml/email is triggered, there will be a separate Syslog message for each child inside the archive/email. In this case, there will be a drill down until there are no archive/eml files inside. For example: |
t | An eml file containing a zip file of 2 word files generates a total of 4 different syslog messages |
t | A zip file of 2 word files generates a total of 3 syslog messages |
t | A pdf file generates 1 syslog message |
t | A docx file generates 1 syslog message |
n | Syslog messages support UTF8. |
The CEF message format is as follows:
|
Fields 1 - 8 |
Fields 9 - 32 |
---|---|---|
Separator |
| |
Space |
Field name |
Not used |
See the table below |
Format |
Value |
Field name=Value |
Multiple values |
Not supported |
Separated by semicolon “;” |
To enable SIEM logging, you must configure the SIEM settings in the Management Dashboard, see
Here is an example of a SIEM
Mar 10 07:07:32|CEF:0|Votiro|Votiro cloud|9.6.348|500|Sanitization summary|5| CompanyName=Votiro1 CorrelationId=33a5d413-3be6-4b28-b5b7-257fc2add78d ItemId= 33a5d413-3be6-4b28-b5b7-257fc2add78d fileName=KingDemo.pdf FileType=pdf fileHash=5m6def67073ea7cf9aa3a68899f10fcdd074440efd60fa04e94774e9434eel52 fileSize=4020211 PasswordProtected=false AVResult=Clean ThreatCount=1 BlockedCount=0 Threats=Dynamic code execution fileModification=Java Script removed SanitizationResult= Sanitized SanitizationTime=1700 ConnectorType=File connector connectorName=Ron file connector ConnectorID=9098ddf2-7904-4e70-bff7-293b5e62f61c policyName=Ron file connector policy ExceptionId=null incidentURL = https://{clusterFQDN}/app/fileDetails/33a5d413-3be6-4b28-b5b7-257fc2add78d/33a5d413-3be6-4b28-b5b7-257fc2add78d MessageId=null Subject=null From=null Recipients=null
Here is an example of a SIEM
Mar 10 07:07:32 LEEF:1.0 |Votiro|Votiro cloud|9.6.348|500|Sanitization summary|5| CompanyName=Votiro1 Correlation Id = 33a5d413-3be6-4b28-b5b7-257fc2add78d ItemId= 33a5d413-3be6-4b28-b5b7-257fc2add78d fileName=KingDemo.pdf FileType=pdf fileHash=5m6def67073ea7cf9aa3a68899f10fcdd074440efd60fa04e94774e9434eel52 fileSize=4020211 Password protected = false AV Result= clean ThreatCount= 1 BlockedCount= 0 Threats= Dynamic code execution fileModification = Java Script removed SanitizationResult= Sanitized SanitizationTime= 1700 Connector Type= File connector connectorName= Ron file connector ConnectorID= 9098ddf2-7904-4e70-bff7-293b5e62f61c policyName= Ron file connector policy ExceptionId= null incidentURL = https://{clusterFQDN}/app/fileDetails/33a5d413-3be6-4b28-b5b7-257fc2add78d/33a5d413-3be6-4b28-b5b7-257fc2add78d MessageId= null Subject= null From= null Recipients= null
Votiro Sanitization summary Syslog message format
Field # |
Field name |
Description |
Value |
---|---|---|---|
1 |
Timestamp |
Event timestamp based on customer time | {MMM DD HH:mm:SS} For example, Mar 10 07:07:32 |
2 |
Syslog message format |
Syslog message format | CEF:0 |
3 |
Device vendor |
Vendor name | Votiro |
4 |
Device name |
Device name | Votiro Cloud |
5 |
Device version |
Product version | {Product version} For example, 9.8.100 |
6 |
Signature ID |
Signature ID of the event | 500 |
7 |
Message name |
Syslog message name | Sanitization summary |
8 | Message severity level | Message severity level. Note: All events will be of the same severity level. |
5 |
9 | Company name | Customer's company name configured in the Management dashboard. | {Company name} |
10 | Correlation ID | Unique GUID that represents the file | {GUID} |
11 | Item ID | Unique GUID that represents the file. The Item ID is the same as the Correlation ID if it represents the same file. If the item ID is different, it means that the file is a child or inner file related to the parent file. | {GUID} |
12 | File name | File name | {character string} |
13 | File type | File extension | {character string} For example, pdf |
14 | File hash | Hash of the file | {hash (hexadecimal) string} |
15 | File size | File size in bytes | {long integer} |
16 | Password protected | Indicates whether the file is password protected | • true • false |
17 | AV result | Result from the Anti-Virus engine's scan of the file | • Infected • Clean • Not used (if the AV is not activated) |
18 | Threat count | Number of threats detected in the file | {integer} |
19 | Blocked count | Number of blocked files in the file | {integer} |
20 | Threats | Description of what threats were detected in the file | {character string} For example, Suspicious macro; external link path |
21 | File modification | Description of what Votiro Cloud modified in the file | {character string} For example, Removed suspicious macros; Removed external link path |
22 | Sanitization result | Result of Votiro Cloud's sanitization of the file | • Sanitized • Partially sanitized (indicates a parent file whose inner files are blocked / skipped) • Skipped • Blocked |
23 | Sanitization duration | Sanitization time for the file in ms | {integer} |
24 | Connector type | Type of connector | • Email connector • File connector • Menlo connector • AWS S3 connector • Office 365 connector • API • Self-sanitization |
25 | Connector name | Connector name configured by the customer in the Management Dashboard | {character string} |
26 | Policy name | Customer policy name | {character string} |
27 | Exception ID | Indicates which policy exception the file triggered | {integer} |
28 | Incident URL | URL to navigate to the incident in the Management dashboard | {https://{cluster FQDN} /app/fileDetails/ {Correlation ID}/{Item ID}} |
29 | Message ID | Message ID value assigned by Exchange / Office 365 | • {Message ID} • "null" |
30 | Subject | Email subject | • {character string} • "null" |
31 | From | Sender's email address | • {character string} • "null" |
32 | Recipients | Recipients' email addresses | • {character string} • "null" |
Comments
0 comments
Please sign in to leave a comment.