Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

VMware AppDefense

 

The JSA DSM for VMware AppDefense collects events from a VMware AppDefense

To integrate VMware AppDefense with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:
    • Protocol Common RPM

    • VMware AppDefense API Protocol RPM

    • DSMCommon RPM

    • VMware AppDefense DSM RPM

  2. Configure your VMware AppDefense to send events to JSA.
  3. Add a VMware AppDefense log source that uses the VMware AppDefense API on the JSA Console.

VMware AppDefense DSM Specifications

The following table describes the specifications for the VMware AppDefense DSM.

Table 1: VMware AppDefense DSM Specifications

Specification

Value

Manufacturer

VMware

DSM name

VMware AppDefense

RPM file name

DSM-VMware AppDefenseJSA-version-Build_number.noarch.rpm

Supported versions

V1.0

Protocol

VMware AppDefense API

Event format

JSON

Recorded event types

All

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

(https://cloud.vmware.com/ appdefense)

The JSA DSM for VMware AppDefense collects events from a VMware AppDefense system.

Configuring VMware AppDefense to Communicate with JSA

To send events to JSA from your VMware AppDefense system, you must create a new API key on your VMware AppDefense system.

Ensure that you have access to the Integrations settings in the VMware AppDefense user interface so that you can generate the Endpoint URL and API Key that are required to configure a log source in JSA. You must have the correct user permissions for the VMware AppDefense user interface to complete the following procedure:

  1. Log in to your VMware AppDefense user interface.
  2. From the navigation menu, click the icon to the right of your user name, and then select Integrations.
  3. Click PROVISION NEW API KEY.
  4. In the Integration Name field, type a name for your integration.
  5. Select an integration from the Integration Type list.
  6. Click PROVISION, and then record and save the following information from the message in the window that opens. You need this information when you configure a log source in JSA:
    • EndPoint URL

    • API Key - This is the Authentication Token parameter value when you configure a log source in JSA.

    Note

    If you click OK or close the window, the information in the message can't be recovered.

VMware AppDefense API Log Source Parameters for VMware AppDefense

If JSA does not automatically detect the log source, add a VMware AppDefense log source on the JSA Console by using the VMware AppDefense API protocol.

When using the VMware AppDefense API protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect VMware AppDefense API events from VMware AppDefense:

Table 2: VMware AppDefense API Protocol Log Source Parameters for the VMware AppDefense DSM

Specification

Value

Log Source Type

VMware AppDefense

Protocol Configuration

VMware AppDefense API

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your VMware AppDefense devices.

Endpoint URL

The endpoint URL for accessing VMware AppDefense. Example revision:https://server_name.vmwaredrx.com/partnerapi/v1/ orgs/<organization ID>

Authentication Token

A single authentication token that is generated by the AppDefense console and must be used for all API transactions.

Use Proxy

If JSA accesses the VMware AppDefense API by using a proxy, enable Use Proxy.

If the proxy requires authentication, configure the Hostname, Proxy Port, Proxy Username, and Proxy fields.

If the proxy does not require authentication, configure the Hostname and Proxy Port fields.

Automatically Acquire Server Certificate(s)

If you choose Yes from the drop down list, JSA automatically downloads the certificate and begins trusting the target server. If No is selected JSA does not attempt to retrieve any server certificates.

Recurrence

Beginning at the Start Time, type the frequency for how often you want the remote directory to be scanned. Type this value in hours(H), minutes(M), or days(D). For example, 2H if you want the directory to be scanned every 2 hours. The default is 5M.

EPS Throttle

The maximum number of events per second.

The default is 5000.

VMware AppDefense Sample Event Messages

Table 3: VMware AppDefense Sample Message Supported by VMware AppDefense.

Event name

Low level category

Sample log message

Inbound Connection Rule Violation

Firewall Deny

{"id":1111111,"createdAt":1512009263.471000000, "remediation":{"id":1111111},"severity":"CRITICAL", "lastReceivedAt":1516170726.957000000,"count":2, "status":"UNRESOLVED","violationDetails":{"processHa shSHA256":"10000000000000000000000000000000000000000 00000000000000000000000","processHash":"100000000000 00000000000000000000","cli":"<cli>”, “localPort":"<24 ","processPath":"","alert":"INBOUND_CONNECTION_RULES _VIOLATION","localAddress":"192.0.2.0","ipProtocol": "tcp","preEstablishedConnection":"FALSE"},"violating VirtualMachine":{"id":1111111,"vmToolsStatus":"TOOLS _NOT_RUNNING","vcenterUuid":"11111111-1111-1111-1111 -111111111111","vmUuid":"11111111-1111-1111-1111-111 111111111","ipAddress":"192.0.2.0”,"osType":"WINDOWS ","vmManageabilityStatus":"HOST_MODULE_ENABLED_AND_

GUEST_MODULE_MISSING","guestAgentVersion":"1.0.1.0""macAddress":">

MacAddress>","guestId":"windows8","healthStatus":"CRITICAL","service

":{"id":00000},"vm Id":"1","guestAgentStatus

":"Disconnected","guest Name":"

Microsoft Windows","guestStatus":

"POWERED_OFF","name":"<name>","hostName":"<hostname>Hostname>"},"viol atingProcess":{"processReputationProfile"

:null, "fullPathName":"System","<system>":"<System>","pro cess256Hash":"100000000000000000000000000000000000 0000000000000000000000000000","processMd5Hash":"10 000000000000000000000000000000"},"subRuleViolated" :null,"ruleViolated":"INBOUND_CONNECTION"}

Outbound Connection Rule Violation

Firewall Deny

{"id":10101001,"createdAt":1512009263.495000000, "remediation":{"id":1551519},"severity":"CRITICAL", "lastReceivedAt":1516224258.818000000,"count":0000 1,"status":"UNRESOLVED","violationDetails":{"proce ssHashSHA256":"00000000000000000000000000000000000 00000000000000000000000000","processHash":"0000000 000000000000000000000000","cli":"C:\\<path>path>,"alert" :"OUTBOUND_CONNECTION_RULES_VIOLATION","localAddre ss":"192.0.2.0","remotePort":"24","ipProtocol": "udp","preEstablishedConnection":"FALSE","remote Address":"0000::0:0"},"violatingVirtualMachine": {"id":101010,"vmToolsStatus":"TOOLS_NOT_RUNNING", "vcenterUuid":"11111111-1111-1111-1111-1111111111 11","vmUuid":"11111111-1111-1111-1111-11111111111 1","ipAddress":"192.0.2.0","osType":"WINDOWS","vm ManageabilityStatus":"HOST_MODULE_ENABLED_AND_GUE ST_MODULE_MISSING",

"guestAgentVersion":"1.0.1.0",

"macAddress":"<MacAddress>","guestId":"windows8", "healthStatus":"CRITICAL",

"service":{"id":28486}, "vmId":"1","guestAgentStatus":"Disconnected","guest Name":"Microsoft Windows","guestStatus":"POWERED_ OFF","name":"<name>","hostName":"<host>"},"violat ingProcess":{"processReputationProfile":{"process FileInfo":{"md5":"000000000000000000000000000000", "sha256":"000000000000000000000000000000000000000 00000000000000000000","container":false,"executab le":true,"ssdeep":"100:THGFJFJFHJY7y86gHK7GHk7ghj gkghjk","fileSizeBytes":1

,"peFormat":true,"firstSeenName":"

<fileName>","sha1":"00000000000000000 0000000000000000000","crc32":null},"peHeaderMeta data":{"companyName":"Microsoft Corporation", "productName":"Microsoft Windows,"version":null, "originalName":"<host>","description":"<description>","fileVersion":"192.0.2.0,"codePage":null, "productVersion":"6.3.9600.17415","language": "English (U.S.)"},"certificate":{"commonName": "Windows","certificateexinfo":{"thumbprint":"0000 00000000000000000000000000000000000000000","issue rThumbprint":"000000000000000000000000000000000" ,"serialNumber":null,"validToDate":1437604140.00 0000000,"validFromDate":1398205740.000000000,"pu blisher":null,"name":null}},"trust":10,"threat": 0},"fullPathName":"C:\\<path>","process256Hash": "00000000000000000000000000000000000000000000000 0000000000000","processMd5Hash":"000000000000000 000000000000000000"},"subRuleViolated":null,"rul eViolated":"OUTBOUND_CONNECTION"}