Overview
For a large enterprise, there will be many security products deployed. The SOC (Security Operations Center) team must handle many products, which all generate alerts/cases regarding potential cyber attacks. Because it is almost impossible to attend to every management console, and because there is a need to correlate between different systems, almost every enterprise uses a single pane of glass (SPOG). The SPOG in the context of SIEM (Security Information and Event Management) software refers to a unified dashboard that consolidates data, insights, and controls from various security tools, providing a comprehensive view of an organization's security posture in one place. This allows security teams to monitor, analyze, and respond to threats more effectively, rather than juggling multiple interfaces.
There are different standard ways to communicate to the SIEM. The most popular one is the Syslog. Votiro's Syslog messages include all the important information related to the sanitized files and can help correlate this information to other IOCs (Indicators Of Compromise) and to define automation for remediation.
What is SIEM
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.
SIEM collects security data from network devices, servers, domain controllers, and more. SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.
Votiro logs can be sent to SIEM in Common Event Format (CEF) or Log Event Extended Format (LEEF).
To enable SIEM logging, you must configure the SIEM settings in the Management Dashboard.
Votiro Audit Events Syslog message format
| Field # | Field name | Description | Value |
| 1 | Timestamp | Event timestamp based on customer time | {MMM DD HH:mm:SS} For example, Mar 10 07:07:32 |
| 2 | Syslog message format | Syslog message format | For CEF format: CEF:0 For LEEF format: LEEF:1.0 |
| 3 | Device vendor | Vendor name | Votiro |
| 4 | Device name | Device name | Votiro |
| 5 | Device version | Product version | {Product version} For example, 9.8.100 |
| 6 | Signature ID | Signature ID of the event | 600 |
| 7 | Message name | Syslog message name | Audit event |
| 8 | Message severity level | Message severity level (numeric) Note: All events will be of the same severity level. | 5 |
| 9 | Company name | Customer's company name (string) configured in the Management dashboard | {Company name} |
| 10 | Correlation ID | Unique GUID that represents the event ID | {GUID} |
| 11 | msg | Message content | (string) see the event message template below |
| 12 | suser | The user that performed that action | {character string} |
| 13 | Changes | Will display the changes that were performed in the actions. *Relevant only for events where changes were made | {character string} For example, pdf |
Audit Event Types
Audit events that should be sent for every user action:
- Login - success, failure
- Files actions - Download original/sanitized, Release original
- Release PPF (Only for email v10.0)
- System configuration
- SMTP
- SAML
- Active Directory
- Users/Local users
- SIEM
- Service Token (Created, Deleted)
- License (License expiration date)
- CDR Policies actions (changes performed on policies)
Out of scope:
- Customization (Out of scope for v10.0)
- Connectors (Out of scope for v10.0)
- DDR Policies actions (Out of scope for v10.0)
- Download/Release unmasked (Out of scope for v10.0)
Audit Event Message Examples
| Event Message content | Example |
| User {username} logged in to Management | Mar 10 07:07:32 CEF:0 | Votiro|Votiro cloud|600|Audit Event|5|CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb-88941c0a6371 msg=User 'Ron' logged in to Management suser=Ron |
| User {username} failed to authenticate | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb-88941c0a6371 msg=User 'Ron' failed to authenticate suser=Ron |
| Original file {File Name} has been downloaded by User {username} | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb- 88941c0a6371 msg=Original file 'RonIsTheKing.docx' has been downloaded suser=Ron |
| Sanitized file {File Name} has been downloaded by User {username} | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb- 88941c0a6371 msg=Sanitized file "RonIsTheKing.docx" has been downloaded suser=Ron |
| Original file {File Name} has been released by User {username} | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb- 88941c0a6371 msg=Original file 'RonIsTheKing.docx' has been released suser=Ron |
| Policy {Policy Name} has been created | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb- 88941c0a6371 msg=Policy 'King' has been created suser=Ron |
| Policy {Policy Name} has been updated, changes: {change description} {oldValue} {newValue} | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb- 88941c0a6371 msg=Policy 'King' has been updated changes=PDF case command has been changed oldValue=Blocked newValue=Sanitized suser=Ron |
| Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438bb9cb- 88941c0a6371 msg=Policy 'King' has been updated changes=Exception has been added to PDF case has been changed oldValue=null newValue=null suser=Ron | |
| Policy {Policy Name} has been deleted | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb- 88941c0a6371 msg=Policy 'King' has been deleted suser=Ron |
| Report {Report Name} has been exported | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb- 88941c0a6371 msg=Report "Audit report" has been exported suser=Ron |
| Configuration {Configuration Key} has been updated {oldValue} {newValue} | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb- 88941c0a6371 msg=Configuration "Blob files days to keep" has been updated oldValue=180 newValue=90 suser=Ron |
| Role has been changed for user {userName} {oldValue} {newValue} | Mar 10 07:07:32 CEF:0 |Votiro|Votiro cloud|600|Audit Event|5| CompanyName=Votiro CorrelationId=98061190-e3e2-438b-b9cb- 88941c0a6371 msg=Role has been changed for user 'King' oldValue=SOC newValue=Helpdesk suser=Ron |
Comments
0 comments
Please sign in to leave a comment.