IBM MaaS360 Security
The IBM MaaS360 Security DSM for JSA collects event logs from the MaaS360 Security console.
The following table identifies the specifications for the IBM MaaS360 Security DSM:
|
Specification |
Value |
|---|---|
|
Manufacturer |
IBM |
|
DSM name |
IBM MaaS360 Security |
|
RPM file name |
DSM-IBMFiberlinkMaaS360 |
|
Supported versions |
N/A |
|
Event format |
LEEF, JSON |
|
JSA recorded event types |
Compliance rule events Device enrollment events Action history events |
|
Automatically discovered? |
No |
|
Included identity? |
Yes |
|
Includes custom properties? |
No |
|
More information |
To integrate IBM MaaS360 Security with JSA, use the following steps:
-
If automatic updates are not enabled, download the most recent versions of the RPMs from the Juniper Downloads.
-
DSMCommon RPM
-
IBM Fiberlink REST API Protocol RPM
-
IBM MaaS360 Security RPM
-
Universal Cloud REST API Protocol RPM
-
-
Configure your MaaS360 Security instance to enable communication with JSA.
-
Create an IBM MaaS360 Security log source on the JSA Console.
IBM Fiberlink REST API Log Source Parameters for IBM MaaS360 Security
If JSA does not automatically detect the log source, add a IBM MaaS360 Security log source on the JSA Console by using the IBM Fiberlink REST API protocol.
When using the IBM Fiberlink REST API protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect IBM Fiberlink REST API events from IBM MaaS360 Security:
|
Parameter |
Value |
|---|---|
|
Log Source type |
IBM MaaS360 Security |
|
Protocol Configuration |
IBM Fiberlink REST API |
|
Log Source Identifier |
Type a unique identifier for the log source. The Log Source Identifier can be set to any valid value and does not need to reference a specific server. You can set the Log Source Identifier to the same value as the Log Source Name. If you have more than one IBM MaaS360 Security log source that is configured, you might want to identify the first log source as MaaS3601, the second log source as MaaS3602, and the third log source as MaaS3603. |
Universal Cloud REST API Log Source Parameters for IBM MaaS360 Security
If JSA does not automatically detect the log source, add a IBM MaaS360 Security log source on the JSA Console by using Universal Cloud REST API protocol.
When using the Universal Cloud REST API protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Universal Cloud REST API events from IBM MaaS360 Security:
|
Parameter |
Value |
|---|---|
|
Log Source type |
IBM MaaS360 Security |
|
Protocol Configuration |
Universal Cloud REST API protocol |
|
Log Source Identifier |
Type a unique identifier for the log source. The Log Source Identifier can be set to any valid value and does not need to reference a specific server. You can set the Log Source Identifier to the same value as the Log Source Name. If you have more than one IBM MaaS360 Security log source that is configured, you might want to identify the first log source as MaaS3601, the second log source as MaaS3602, and the third log source as MaaS3603. |
For a complete list of Universal REST API protocol parameters and their values, see Universal Cloud REST API Protocol.
Configuring an IBM Fiberlink MaaS360 Log Source in JSA
To collect IBM Fiberlink MaaS360 events, configure a log source in JSA.
To enable IBM Fiberlink MaaS360 to communicate with JSA, you must enable the REST API. Contact Fiberlink customer service to enable the REST API for your Fiberlink MaaS360 account.
-
Log in to JSA.
-
Click the Admin tab.
-
In the navigation menu, click Data Sources.
-
Click the Log Sources icon.
-
Click Add.
-
From the Log Source Type list, select IBM Fiberlink MaaS360.
-
From the Protocol Configuration list, select IBM Fiberlink REST API.
-
Configure the following IBM Fiberlink REST API parameters:
Parameter
Description
Log Source Identifier
Type a unique identifier for the log source.
The Log Source Identifier can be set to any valid value and does not need to reference a specific server. You can set the Log Source Identifier to the same value as the Log Source Name. If you have more than one IBM Fiberlink MaaS360 log source that is configured, you might want to identify the first log source as fiberlink1 , the second log source as fiberlink2 , and the third log source as fiberlink3 .
Login URL
The URL for the Fiberlink MaaS360 REST server.
Username
The user name that is used to access the MaaS360 APIs.
Users with the following administrator roles can access the APIs:
-
Service Administrator
-
Administrator
-
Administrator-Level 2
Password
The password that is used to access your MaaS360 APIs.
Secret Key
The secret key that is provided by Fiberlink Customer Service when you enabled the REST API.
App ID
The App ID that was provided by Fiberlink Customer Service when you enabled the REST API.
Billing ID
The Billing ID for your Fiberlink MaaS360 account.
Platform
The platform version of the Fiberlink MaaS360 console.
App Version
The App Version of the application that corresponds to your REST API account.
Use Proxy
If JSA accesses the FiberlinkMaaS360 API by using a proxy, select the Use Proxy check box.
If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.
If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields
Automatically Acquire Server Certificate(s)
JSA automatically downloads the server certificate and begins trusting the target server when the Yes option is selected.
-
-
Configure the remaining parameters.
-
Click Save.
-
On the Admin tab, click Deploy Changes.
IBM MaaS360 Security sample event messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
- IBM MaaS360 Security sample message when you use the Syslog protocol
- IBM MaaS360 Security sample message when you use the Universal Cloud REST API protocol
IBM MaaS360 Security sample message when you use the Syslog protocol
The following sample event message shows that a Change Policy is executed for OS versions in IBM MaaS360 Security.
LEEF:1.0|IBM|Fiberlink MaaS360|1.0|OS Versions|cat=Change Policy - Executed usrName=test 1 devTime=2014-05-08T07:29:26Z devTimeFormat=yyyy-MM-dd&aaaa;T&aaaa;HH:mm:ss&aaaa;Z&aaaa; ruleset=1040 psr kr rule platformName=aAA deviceName=Aaaaaa&aaaa;s iAaa aaaaa rule=OS Versions action=Change Policy actionStatus=Executed maas360DeviceID=AaaaA1AAAAAAAA1
|
JSA field name |
Highlighted values in the payload |
|---|---|
|
Event ID |
OS Versions |
|
Event Category |
Change Policy - Executed |
|
Username |
test 1 |
IBM MaaS360 Security sample message when you use the Universal Cloud REST API protocol
The following sample event message shows that the malicious SMS that is received indicates SMS phishing or malware links in iOS and Android in IBM MaaS360 Security.
{"eventId":"MALICIOUS_SMS","eventName":"Malicious SMS Received","eventDescription":"SMS with
malicious URL received","eventCategory":"THREAT","eventTime":1614678617000,"eventAction":"Notify
User","eventAdditionalInfo":"{\"0\":{\"type\":\"sender\",\"value\":\"+111111111111\"}}{\"1\":
{\"type\":\"REQUEST_TAG\",\"value\":\"1740\"}}{\"2\":{\"type\":\"url\",\"value
\":\"aaaaaaaaaaaaa.test
\"}}","userIdentifier":"111111111A11A111A111A1A111A1A1A1","userName":"testuser","userEmail":"testu
ser@aa.test.test","userDomain":"ibm","deviceIdentifier":"Android1111aa11111111aa","deviceName":"te
stuser-AA-A111A","deviceModel":"AAA111A","
deviceManufacturer":"aaaaaaa","deviceOS":"10","id":"Android1111aa11111111aa-1111111"}|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
MALICIOUS_SMS |
|
Event Category |
THREAT |
|
Username |
testuser@aa.test.test |
|
Device Time |
1614678617000 (displays as Mar 2, 2021, 5:50:17 AM in JSA) |