Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

IBM Security Trusteer Apex Advanced Malware Protection

The IBM Security Trusteer Apex Advanced Malware Protection DSM collects event data from a Trusteer Apex Advanced Malware Protection system to JSA.

JSA can collect the following items from the Trusteer Apex Advanced Malware Protection system:

  • Syslog events

  • Log files (from an intermediary server that hosts flat feed files from the system.)

  • Syslog events through SSL/TLS authentication

The following table lists the specifications for the IBM Security Trusteer Apex Advanced Malware Protection DSM:

Table 1: IBM Security Trusteer ApexAdvanced Malware Protection DSM Specifications

Specification

Value

Manufacturer

IBM

DSM name

IBM Security Trusteer Apex Advanced Malware Protection

RPM file name

DSM-TrusteerApex-JSA_version-build_number.noarch.rpm

Supported versions

Syslog/LEEF event collection: Apex Local Manager 2.0.45

LEEF: ver_1303.1

Flat File Feed: v1, v3, and v4

Protocol

Syslog

Log File

TLS Syslog

Recorded event types

Malware Detection

Exploit Detection

Data Exfiltration Detection

Lockdown for Java Event

File Inspection Event

Apex Stopped Event

Apex Uninstalled Event

Policy Changed Event

ASLR Violation Event

ASLR Enforcement Event

Password Protection Event

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

IBM Security Trusteer Apex Advanced Malware Protection website

To configure IBM Security Trusteer Apex Advanced Malware Protection event collection, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA console:

    • DSMCommon RPM

    • Log File Protocol RPM

    • TLS Syslog Protocol RPM

    • IBM Security Trusteer Apex Advanced Malware Protection DSM RPM

  2. Choose one of the following options:

    • To send syslog events to JSA, see "Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog events to JSA".

    • To collect log files from IBM Security Trusteer Apex Advanced Malware Protection through an intermediary server, see "Configuring a Flat File Feed service". For JSA to retrieve log files from IBM Security Trusteer Apex Advanced Malware Protection, you must set up a flat file feed service on an intermediary SFTP-enabled server. The service enables the intermediary server to host the flat files that it receives from IBM Security Trusteer Apex Advanced Malware Protection and allows for connections from external devices so that JSA can retrieve the log files.

  3. If JSA does not automatically discover the log source, add an IBM Security Trusteer Apex Advanced Malware Protection log source on the JSA console.

    The following table describes the parameters that require specific values for IBM Security Trusteer Apex Advanced Malware Protection syslog event collection:

    Table 2: IBM Security Trusteer Apex Advanced Malware Protection Log Source Parameters for Syslog

    Parameter

    Value

    Log Source type

    IBM Security Trusteer Apex Advanced Malware Protection

    Protocol Configuration

    Syslog

    Log Source Identifier

    The IP address or host name from the syslog header. If the syslog header does not contain an IP address or a host name, use the packet IP address.

    TLS Listen Port

    The default port is 6514.

    Authentication Mode

    TLS

    Certificate Type

    Select the Provide Certificate option from the list.

    Maximum Connections

    The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector. For each Event Collector, there is a limit of 1000 connections across all TLS syslog log source configurations. The default for each device connection is 50.

    Note:

    Automatically discovered log sources that share a listener with another log source count only one time towards the limit. For example, the same port on the same event collector.

    TLS Protocols

    Select the version of TLS installed on the client from the drop down list.

    Provided Server Certificate Path

    Absolute path of server certificate. For example, /opt/qradar/conf/trusted_certificates/apex-almtls. cert

    Provided Private Key Path

    Absolute path of PKCS#8 private key. For example, /etc/pki/tls/private/apex-alm-tls.pk8
    Note:

    When you use the TLS syslog, and you want to use an FQDN to access the system, you must generate your own certificate for the listener, and then specify it in the TLS syslog configuration.

    The following table describes the parameters that require specific values for IBM Security Trusteer Apex Advanced Malware Protection TLS syslog event collection:

    Table 3: IBM Security Trusteer Apex Advanced Malware Protection Log Source Parameters for TLS Syslog protocol

    Parameter

    Value

    Log Source type

    IBM Security Trusteer Apex Advanced Malware Protection

    Protocol Configuration

    TLS Syslog

    Log Source Identifier

    The IP address or host name from in syslog header. If the syslog header does not contain an IP address or host name, use the packet IP address.

    TLS Listen Port

    The default port is 6514.

    Authentication Mode

    TLS

    Authentication Mode

    Select the Provide Certificate option from the list.

    Maximum Connections

    The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector. For each Event Collector, there is a limit of 1000 connections across all TLS syslog log source configurations. The default for each device connection is 50.

    Note:

    Automatically discovered log sources that share a listener with another log source count only one time towards the limit. For example, the same port on the same event collector.

    TLS Protocols

    Select the version of TLS installed on the client from the drop down list.

    Provided Server Certificate Path

    Absolute path of server certificate For example /opt/qradar/conf/trusted_certificates/apex-almtls. cert.

    Provided Private Key Path

    Absolute path of PKCS#8 private key. For example /etc/pki/tls/private/apex-alm-tls.pk8
    Note:

    When you use the TLS syslog, and you want to use an FQDN to access the system, you must generate your own certificate for the listener, and then specify it in the TLS syslog configuration

    The following table describes the parameters that require specific values for IBM Security Trusteer Apex Advanced Malware Protection Log File collection:

    Table 4: IBM Security Trusteer Apex Advanced Malware Protection Log Source Parameters for Log File Protocol

    Parameter

    Value

    Log Source Type

    IBM Security Trusteer Apex Advanced Malware Protection

    Protocol Configuration

    Log File

    Log Source Identifier

    The IP address or host name of the server that hosts the flat file feed.

    Service Type

    SFTP

    Remote IP or Hostname

    The IP address or host name of the server that hosts the flat file feed.

    Remote Port

    22

    Remote User

    The user name that you created for JSA on the server that hosts the flat file feed.

    SSH Key File

    If you use a password, you can leave this field blank.

    Remote Directory

    The log file directory where the flat feed files are stored.

    Recursive

    Do not select this option.

    FTP File Pattern

    "trusteer_feeds_.*?_[0-9]{8}_[0-9]*?\.csv"

    Start Time

    The time that you want your log file protocol to start log file collection.

    Recurrence

    The polling interval for log file retrieval.

    Run On Save

    Must be enabled.

    Processor

    None

    Ignore Previously Processed Files

    Must be enabled.

    Event Generator

    LINEBYLINE

    File Encoding

    UTF-8

Configuring IBM Security Trusteer Apex Advanced Malware Protection to Send Syslog Events to JSA

Configure IBM Security Trusteer Apex Advanced Malware Protection to send syslog events to JSA.

Install an Apex Local Manager on your Trusteer Management Application (TMA).

For more information about configuring your IBM Security Trusteer Apex Advanced Malware Protection to communicate with JSA, use the following documentation from the Juniper Networks Knowledge Center:

  • IBM Security Trusteer Apex Advanced Malware Protection Local Manager - Hybrid Solution Reference Guide

  • IBM Security Trusteer Apex Advanced Malware Protection Feeds Reference Guide

SSL/TLS authentication is not supported.

  1. Log in to Trusteer Management Application (TMA).

  2. Select Apex Local Manager & SIEM Settings.

  3. If the Apex Local Manager wizard does not automatically display, click Add.

  4. Type the name of the Apex Local Manager.

  5. Check the Enable box and click Next.

  6. Type the server settings for JSA and click Next.

  7. If you use a separate syslog server for the Apex Local Manager system events, type the settings.

  8. Click Finish.

Configuring IBM Security Trusteer Apex Advanced Malware Protection to Send TLS Syslog Events to JSA

You can configure IBM Security Trusteer Apex Advanced Malware Protection to send syslog events through secure socket layer (SSL) or transport layer security (TLS) to JSA.

Complete the following steps to establish a secure channel for transmitting logs between Apex Trusteer and JSA:

  1. Create TLS/SSL Server Certificates and private key.

  2. Create Client Authentication certificates in a PKCS#12 container for Apex Local Manager.

  3. Configure the JSA log source for IBM Security Trusteer Apex Advanced Malware Protection.

  4. Configure the Apex Local Manager(ALM).

Creating a TLS/SSL Server Certificate and Private Key

To establish a communication between JSA and Apex Local Manager (ALM) by using TLS encryption, you must create a self-signed certificate with public and private key pairs.

  1. Log in to JSA as a root user by using SSH.

  2. Create a self-signed certificate. For example,

    openssl req -new -x509 -newkey rsa:2048 -days 3650 -sha512 -nodes -x509 -subj "/C=US/ST=Georiga/L=Atlanta/O=IBM/OU=IBM Security/CN=JSA FQDN or ip address" -keyout apex-alm-tls.key -out apex-alm-tls.cert

  3. Convert the private key to the required DER encode PKCS#8 format:

    openssl pkcs8 -topk8 -inform PEM -outform DER -in apex-alm-tls.key -out apex-alm-tls.pk8 -nocrypt

    Note:

    • Use a unique filename if a certificate needs to be changed or updated.

    • Put the certificate file in /opt/qradar/conf/trusted_certificates.

    • Do not place the PKCS#8 formatted key file in /opt/qradar/conf/trusted_certificates.

Creating Client Authentication Certificates and Keys for Apex Local Manager

Configuring an ALM for TLS Syslog authentication requires a PKCS#12 file that contains the certificate and private key.

  1. Create a self-signed certificate and private key. For example,

    openssl req -new -x509 -newkey rsa:2048 -days 3650 -sha512 -nodes -x509 -subj "/C=US/ST=Georiga/L=Atlanta/O=IBM/OU=IBM Security/CN=ALM FQDN or IP Address" -keyout alm-client-syslog-tls.key -out alm-client-syslog-tls.cert

  2. Create the PKCS#12 container:

    openssl pkcs12 -export -inkey alm-client-syslog-tls.key -in alm-client-syslog-tls.cert -out alm-client-syslog-tls.p12 -name "alm-client-syslog-tls"

    Note:

    Make note of the password that you entered. The password is required when you configure the Apex Local Manager.

Configuring the Apex Local Manager

Configure the Apex Local Manager through a customer-assigned Apex Trusteer Management Application (TMA) original server.

  1. Log in to the Apex TMA.

  2. From the left navigation menu, click the Administration accordion to expand the options available.

  3. Click the Apex Local Manager & SIEM Settings.

  4. Click Add and complete the following steps:

    1. Select the option to enable this Apex Local Manager.

    2. Enter a unique name.

  5. Click Next.

  6. From the SIEM/Syslog Server Settings page, provide a value for the following parameters:

    Table 5: Apex Local Manager SIEM/Syslog Server Setting Parameters

    Parameter

    Description

    Type

    JSA SIEM (LEEF)

    Hostname

    <fqdn of the JSA appliance>

    Port

    Default is 6514.

    Protocol

    TCP with SSL/TLS

    PKCS#12 Upload File

    Upload the local PKCS#12 file

    Encryption Password

    The password that was entered during the creation of the client authentication certificates for Apex Local Manager.

    CA Certificate Upload File

    Upload local certifcate file. For example, apex-alm-tls.cert

  7. Click Next.

  8. From the System Events Setting page, provide a value for the following parameters:

    Table 6: System Events Setting Parameters

    Parameter

    Description

    Hostname

    <JSA FQDN or IP Address>

    Port

    Default is 6514

    Protocol

    Syslog with SSL/TLS

    PKCS#12 Upload File

    Upload the local PKCS#12 file. For example, alm-client-syslog.tls.p12

    Encryption Password

    The password that was entered during the creation of the client authentication certificates for Apex Local Manager.

    CA Certificate Upload File

    Upload local certifcate file. For example, apex-alm-tls.cert

  9. Click Finish to save the configuration.

  10. Select the new entry.

  11. Copy the Provisioning key.

Configuring the ALM Instance

Configure the ALM instance by using the provisioning key copied from the Apex Local Manager.

  1. Log in to the Apex Local Manager at:

    https://ipaddress:8443

  2. From the General Settings page, paste the provisioning key into the field and click the Synchronize Settings.

    Note:

    A message will be displayed that states that the settings synchronized successfully.

  3. Click the Test Connection to send test event to JSA and validate the connection.

Configuring a Flat File Feed Service

For JSA to retrieve log files from IBM Security Trusteer Apex Advanced Malware Protection, you must set up a flat file feed service on an intermediary SFTP-enabled server. The service enables the intermediary server to host the flat files that it receives from IBM Security Trusteer Apex Advanced Malware Protection and allows for connections from external devices so that JSA can retrieve the log files.

To configure IBM Security Trusteer Apex Advanced Malware Protection to send flat file feed to the intermediary server, contact IBM Trusteer support.

Flat File Feeds use a CSV format. Each feed item is written to the file on a separate line, which contains several comma-separated fields. Each field contains data that describes the feed item. The first field in each feed line contains the feed type.

  1. Enable an SFTP-enabled server and ensure that external devices can reach it.

  2. Log on to the SFTP-enabled server.

  3. Create a user account on the server for IBM Security Trusteer Apex Advanced Malware Protection.

  4. Create a user account for JSA.

  5. Enable SSH key-based authentication.

After you set up the intermediary server, record the following details:

  • Target SFTP server name and IP addresses

  • SFTP server port (standard port is 22)

  • The file path for the target directory

  • SFTP user name if SSH authentication is not configured

  • Upload frequency (from 1 minute to 24 hours)

  • SSH public key in RSA format

IBM Trusteer support uses the intermediary server details when they configure IBM Security Trusteer Apex Advanced Malware Protection to send flat feel files.

Related Documentation