Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
title1. Accessing SIEM mappings files

NOTE:

For this step you will need to access WWWROOT. It is typically located at: 

Windows

Linux

(later than Ubuntu 14.04)

Linux

(earlier than Ubuntu 14.04)

c:\xampp\htdocs/var/www/html/var/www

Create and access SIEM mappings files:

Navigate to the following directory:

Code Block
themeMidnight
WWWROOT/app/siem/maps

It contains the following files:

Code Block
themeMidnight
auditmap.php
auditmap-sample.php
systemalertsmap.php
systemalertsmap-sample.php

which store mappings and mapping samples for audit and system alerts respectively.

To provide a way for

.

Modify the mappings to correspond to your system, and save them as 
auditmap.php and systemalertsmap.php.

  • auditmap.php enables FileCloud to convert audit entries to the valid SIEM messages please edit the auditmap.php file.To provide a way for .
  • systemalertsmap.php enables FileCloud to convert FileCloud's System Alerts to the valid SIEM messages pleasy edit the systemalertsmap.php file.Samples are provided in the auditmap-sample.php and systemalertsmap-sample.php filessystem alerts to the valid SIEM messages.

NOTE: Mappings are stored in the .php file, so they have to follow all PHP syntax rules as well as the internal mappings rules and syntax. To validate all mappings please navigate to the Admin Panel → Settings → Third Party Integrations → SIEM and click on the ' Validate mappings ' buttonbutton.


Info

When you upgrade FileCloud, if you previously integrated with SIEM and already have auditmap.php and systemalertsmap.php files, you do not have to recreate or edit them unless you want to change existing mappings.


SIEM mapping format:


A sample SIEM mapping is a PHP array entry, which itself is an array. It contains following fields:

id (Required) - identifies the SystemAlert/Audit entry this map refers to. NOTE: It can be a string literal which matches the audit operation name or one of the SiemArea values available in FileCloud, an array of values or a wildcard '*' that specifies that the mapping is applied to ALL audit entries/system alerts.

prefilter (Optional) - A collection of preconditions that event has to meet in order to be processed and sent to the SIEM system. It is an array of filters, where each filter has the following format: property => value, where:

  • property is a valid property available for the Audit / System Alert record (TBD - add lists of properties)
  • value is a value that has to be matched in order to process the Audit / System Alert record, i.e.
Code Block
languagephp
titleSample System Alert Mappings
    'prefilter' => [
        'level' => SysAlert::SYSALERT_LEVEL_MELTDOWN
    ],

specifies that only System Alerts with the Meltdown criticality level would be sent to the SIEM server.

map (Required) - specifies the actual mapping between the FileCloud object being processed and the SIEM-formatted message that will be sent to the SIEM server. SIEM object as to contain the following four fields:

  • eventClass - class of the event in the SIEM system.
  • eventName - name of the event.
  • severity - this is a SIEM side severity, which is a number from the 1-10 range.
  • extension - a collection (array) of additional key value pairs that will be stored in the SIEM system (i.e. user that performed the action, ip address of the request, etc.). The key can be any arbitrary string.


To allow a very flexible way to resolve those mappings value a special 'language' was created. Values can be provided in any of the following ways:

  • As a literal value (i.e. string or number), i.e.

    Code Block
    languagephp
    titleSample System Alert Mappings
    'eventClass' => 'authentication',
    'eventName' => 'invalid login',
    'severity' => 3


  • As a property biding that will resolve the value, based on the actual value provided by the FileCloud audit, system alert being processed:

    Code Block
    languagephp
    titleSample System Alert Mappings
    'eventClass' => '$siemArea',
    'eventName' => '$description',
    'user' => '$username',
    'ip' => '$ip'

    Please check a full list of supported properties for more details. (TBD)


  • As a method call:

    Code Block
    languagephp
    titleSample System Alert Mappings
    'severity' => [[SiemConversionHelper::class, 'getSysAlertSeverity'], ['$level']],

    NOTE: Users can create their own methods that can be utilized here. The first parameter is the PHP callback (class, method name) and the second parameter is the array of values (Optional) that will be processed by that callback. Parameters can be set to literal values or runtime-resolvable properties as described earlier. In FileCloud 19.2 getSysAlertSeverity is the only method available out of the box. It converts internal System Alerts severity into the 1-10 range required by SIEM integration in the following way:

    • Meltdown: 10

    • Critical: 7
    • Warning: 4
    • Information: 1

Sample mappings:

System Alerts:

Code Block
languagephp
titleSample System Alert Mappings
//Report all meltdowns
$mappings[] = [
    'id' => '*', //Wildcard denotes all Alerts
    'prefilter' => [
        'level' => SysAlert::SYSALERT_LEVEL_MELTDOWN
    ],
    'map' => [
        'eventClass' => '$siemArea',
        'eventName' => '$description',
        'severity' => 10,
        'extension' => [
            'user' => '$username',
            'ip' => '$ip'
        ]
    ]
];

//AV system alert - infected file found
$mappings[] = [
    'id' => SiemArea::INFECTED_FILE,
    'map' => [
        'eventClass' => 'System Error',
        'eventName' => '$description',
        'severity' => [[SiemConversionHelper::class, 'getSysAlertSeverity'], ['$level']],
        'extension' => [
            'user' => '$username',
            'ip' => '$ip',
            'path' => '$alertContext.filePath',
            'file' => '$alertContext.fileName'
        ]
    ]
];

//Type mismatch report
$mappings[] = [
    'id' => SiemArea::INVALID_FILE_TYPE,
    'map' => [
        'eventClass' => 'System Error',
        'eventName' => '$description',
        'severity' => [[SiemConversionHelper::class, 'getSysAlertSeverity'], ['$level']],
        'extension' => [
            'user' => '$username',
            'ip' => '$ip',
            'path' => '$alertContext.file'
        ]
    ]
];

Audit:

Code Block
languagephp
//Report all audit events
$mappings[] = [
    'id' => '*',
    'prefilter' => [],
    'map' => [
        'eventClass' => '$operation',
        'eventName' => '$operation',
        'severity' => 2,
        'extension' => [
            'user' => '$userName',
            'userAgent' => '$userAgent',
            'ip' => '$ip',
            'notes' => '$notes'
        ]
    ]
];


//Failed login attempt
$mappings[] = [
    'id' => 'loginguest',
    'prefilter' => [
        //List of conditions that audit entry has to met in order to be processed (or filtered out if excluded option is there)
        'resultCode' => '0', //incidents only
        'exclude' => false// - optional 'include' is used by default
    ],
    'map' => [
        'eventClass' => 'login',
        'eventName' => 'Invalid login attempt',
        'severity' => 2,
        'extension' => [
            'user' => '$userName',
            'ip' => '$ip'
        ]
    ]
];


...