SIEM Syslog, LEEF and CEF Logging
The Juniper ATP Appliance platform collects, inspects and analyzes advanced and stealthy web, file, and email-based threats that exploit and infiltrate client browsers, operating systems, emails and applications. Juniper ATP Appliance’s detection of malicious attacks generates incident and event details that can be sent to connected SIEM platforms in CEF, LEEF or Syslog formats. This guide provides information about incident and event collection using these formats.
Juniper ATP Appliance generates LEEF or CEF logs for Download (DL) and Infection (IN) incidents, including phishing (PHS, DL + PHS), for the following event types.
http | email | cnc | submission | exploit | data theft
Note:DL (Download)-based CEF Logs contain the hash and file type of the downloaded malware file. IN (Infection)-based CEF Logs do not provide a hash and file type.
Identity information is also sent as part of SIEM. Refer to Active Directory integration information, external collector options, and other Advanced Threat Analytics and Anti-SIEM filtering options available from the Operator’s Guide.
This guide focuses on CEF, LEEF and Syslog outputs for SIEM mapping and integration. Juniper ATP Appliance also provides JSON-based HTTP API results and ASCII TEXT notifications that are not discussed in this guide; refer to the Juniper ATP Appliance HTTP API Guide for more information.
In addition, Juniper ATP Appliance extended Syslog functionality in a previous release and added more details to Syslog messaging. Syslog alerts are sent for the following Incident and event types:
Downloads
Infections
Exploits
Email Downloads
Phishing
File Uploads (malware analysis)
Data Theft
Endpoint Identity information
Juniper ATP Appliance has added extra fields to the Syslog output such as externalId (Incident ID), eventID (Event ID), and so on. All extra fields are included in this document.
The Juniper ATP Appliance Central Manager WebUI Config> Notifications> SIEM Settings provides the option to configure event and system audit notifications for CEF-format, LEEF-format, or SYSLOG SIEM servers. The servers, in turn, must be configured to receive the Juniper ATP Appliance notifications in CEF, LEEF and Syslog formats (provide hostname and port number for Syslog).
Configure SIEM Settings in order to have Events or System Audit notifications sent to designated hosts aslogs in either CEF, LEEF or Syslog format.
Note that if selecting Syslog as the SIEM setting when configuring System Health alerts, you can choose to include the Hostname or Process name in the Syslog messages that are sent from the Juniper ATP Appliance: Show Hostname and Show Process Name:
To create a new SIEM notification:
Navigate to the Config>Notifications page and select SIEM Settings from the left panel menu.
Click Add New SIEM Connector to set up a new Events, System Audit or System Health log notification in CEF, LEEF or Syslog format.
Select from the available options and click Add to complete the configuration and add the new SIEM connector configuration to the Active SIEMS list.
Using CEF Alert event_id or incident_id to Display Details in Web UI
Given an incident_id or event_id, you can use the following URLs to display relative details in the Juniper ATP Appliance Web UI.
Replace “JATP_HOSTNAME_HERE” with your Juniper ATP Appliance host name, and replace “0000000” with the event_id or incident_id.
https://JATP_HOSTNAME_HERE/admin/index.html?incident_id=0000000
https://JATP_HOSTNAME_HERE/admin/index.html?event_id=0000000
The system will prompt for login/password if no login session is currently active.
To display, delete or edit an Active SIEM connector configuration:
To display a recent report, or delete or edit an existing SIEM configuration, click Display, Delete or Edit, respectively, in the Active SIEM table for a selected configuration row.
Edit, modify or delete the current settings and fields as desired, then click Save.
Alert notification configuration options
Alert notifications for SIEM events or system audits are available only if Outgoing Mail Settings are configured from the Config>System Settings menu.
Descriptions of Events alert settings are provided in the following tables.
Type |
Select the type of SIEM connector notification to be configured: Event |
Format |
Select CEF or Syslog as the notification output format. |
Malware Severity |
To filter the log notification by malware severity results, choose either: All Malware | Critical, High or Med | Critical or High |
Generate On |
Select Trigger or By Schedule to set the method by which a SIEM Events log is generated. If “By Schedule” is selected, then select a Day, then enter a Time in the format 00:00 am or pm to set the day(s) and time at which the alert is to be generated. |
Host Name |
Enter the host name of the CEF or Syslog server. |
Port Number |
Enter the port number of the CEF or Syslog server. |
Type |
Select the type of SIEM notification to be configured: System Audit |
Format |
Select CEF or Syslog as the notification output format. |
Event Type |
Select the event type(s) to include in the alert notification: Login/Logout | Failed logins | Add/Update Users | System Settings | Restarts |
Format |
Select CEF or Syslog as the log output format. |
Generate On |
Select Trigger or By Schedule to set the method by which a SIEM System Audit log is generated. If “By Schedule” is selected, then select a Day, then enter a Time in the format 00:00 am or pm to set the day(s) and time at which the alert is to be generated. |
Type |
Select the type of SIEM connector log to be configured: System Health |
Health |
Select the health report type(s) to include in the SIEM log: Overall Health | Processing Delay |
Format |
Select CEF or Syslog as the log output format. Note that if selecting Syslog as the SIEM setting when configuring System Health alerts, you can choose to show or hide the Hostname or Process name in the Syslog messages that are sent from the Juniper ATP Appliance: show Hostname and Show Process Name. |
Generate On |
Select Trigger or By Schedule to set the method by which a SIEM System Audit log is generated. If “By Schedule” is selected, then select a Day, then enter a Time in the format 00:00 am or pm to set the day(s) and time at which the alert is to be generated. |
Syslog Trap Sink Server
When configuring a Juniper ATP Appliance to generate alert notifications in CEF or Syslog format, an administrator must confirm that the rsyslog trap-sink SIEM server supports CEF. The CEF output is accessible for parsing only on the rsyslog server and cannot be viewed from the Juniper ATP Appliance CLI or Web UI.
CEF, LEEF and Syslog Format
Common Event Format (CEF)and Log Event Extended Format (LEEF) are open standard syslog formats for log management and interoperabily of security related information from different devices, network appliances and applications. This open log format is adopted by Juniper ATP Appliance for sending Juniper ATP Appliance malware event , system audit and system health notifications to the configured channel.
LEEF FORMAT
As LEEF events are received, QRadar performs traffic analysis and inspects event traffic to identify the sending device or appliance traffic. When traffic analysis identifies an event source, the first 25 events are categorized as SIM Generic Log DSM events with the event name set as Unknown Log Event. After the event traffic is identified, QRadar creates a log source to categorize and label events that have been forwarded from the sending appliance or software. Events sent from the sending device are viewable in QRadar on the Log Activity tab.
Refer to the QRadar Log Event Extended Format (LEEF) Guide at https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/b_Leef_format_guide.pdf for more information.
For information about installing the Juniper ATP Appliance DSM plugin, refer to Installing the QRadar Juniper ATP Appliance DSM for LEEF Alerts.
CEF FORMAT
The standard CEF format is:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
The Juniper ATP Appliance CEF format is as follows:
CEF:0|JATP|Cortex|<JATP version 5.0>|<event type: http,email,datatheft...>|<malware name>|<incident risk mapping to 0- 10>|externalId=<JATP Incident ID> eventId=<JATP event ID> <ExtensionField=value...>...
The CEF format contains the most relevant malware event, system audit or system health information, making it available for event consumers to parse and to use the data interoperably. To integrate events, the syslog message format is used as a transport mechanism. This mechanism is structured to include a common prefix applied to each message, and contains the date and hostname as shown below:
<timestamp in UTC> host <message> where message=<header>|<extension>
Here is the common prefix as shown in Splunk:
<Timestamp in UTC> <server-fully-qualified domain name of the Juniper ATP box> <CEF format>
Here is the priority header format for Syslog:
<Syslog Priority> Timestamp Hostname Processname: SyslogContent
Syslog Priority is 134.
Syslog Facility is User-level and Syslog Severity is Notice. Hostname and Processname are configured from the SIEM Settings configuration page by checking the Show Hostname and Show Process Name options (see figure above).
Definitions for the primary CEF fields as well as the CEF Extension Field Key=Value Pair Definitions are provided in the following sections.
CEF Field Definitions
Definition |
Definition |
|---|---|
Version |
An integer that identifies the version of the CEF format. This information is used to determine what the following fields represent. Example: 0 |
Device Vendor Device Product Device Version |
Strings that uniquely identify the type of sending device. No two products Dec use the same device-vendor and device-product pair, although there is no central authority that manages these pairs. Be sure to assign unique name pairs. Example: JATP|Cortex|3.6.0.12 |
Signature ID/ Event Class ID |
A unique identifier in CEF format that identifies the event-type. This can be a string or an integer. The Event Class ID identifies the type of event reported. Example (one of these types): http |email| cnc| submission| exploit| datatheft |
Malware Name |
A string indicating the malware name. Example: TROJAN_FAREIT.DC |
Severity/Incident Risk Mapping |
An integer that reflects the severity of the event. For the Juniper ATP Appliance CEF, the severity value is an incident risk mapping range from 0-10 Example: 9. |
External ID |
The Juniper ATP Appliance incident number. Example: externalId=1003 |
Event ID |
The Juniper ATP Appliance Event ID number. Example: eventId=13405 |
Extension |
A collection of key-value pairs; the keys are part of a predefined set. An event can contain any number of key- value pairs in any order, separated by spaces. Note:
Review the definitions for these extension field labels provided in the section: CEF Extension Field Key=Value Pair Definitions. |
Timestamp format for Syslog is M D H:i:s
Juniper ATP Appliance CEF Notification Example
The following CEF example is defined per field and label:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
The Juniper ATP Appliance CEF format is as follows:
2016-01-23 17:36:39.841+00 tap0.test.JATP.net
CEF:0|JATP|Cortex|3.6.0.15|cnc|TROJAN_Zemot.CY|7|externalId=995
eventId=123 lastActivityTime=2016-01-23 17:36:39.841+00
src=50.154.149.189 dst=192.168.1.10 malwareSeverity=0.5
malwareCategory=Trojan_DataTheft cncServers=50.154.149.189
Nov 23 17:36:39 10-3 : Timestamp in UTC 2016-01-23 17:36:39.841+00
tap00.test.JATP.net : Server-fully-qualified domain name of the JATP box
CEF:0 : CEF version is 0
JATP : Device vendor is Juniper
Cortex : Device product is Cortex
5.0 : Device version (Version number as shown in the GUI)
cnc : Type of event
TROJAN_Zemot.CY : Name of the malware
7 : Severity (range between 0-10)
995 : External ID
123 : Event ID
2016-01-23 17:36:39.841+00 : Last Activity Time stamp
50.154.149.189 : Source IP Address
192.168.1.10 : Destination IP Address
0.5 : Malware Severity Rating
Trojan_DataTheft : Malware Category
31.170.165.131 : CnC server IP Address