Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Fine-tuning the collection and evaluation of syslog data

Several fine-tuning activities can be performed to ensure that relevant syslog data is collected on Web Gateway and efficiently evaluated on Trellix ESM.

The amount of syslog data that is collected can be throttled by excluding less relevant data and restricting the process to logging only important events. Relevant data can also be added, however, to the syslog data by implementing additional logging activities.

On Trellix ESM, data aggregation can be disabled to ensure that no relevant data is overlooked.

Throttling the amount of syslog data

The amount of syslog data that Web Gateway sends to Trellix ESM can be throttled by taking, for example, the following measures.

  • Excluding Authentication Required (status code 407) responses — These are standard responses that do not require much attention regarding web security.
    To exclude these responses from the syslog data that is transferred, add a rule in the rule set that you imported.
    The rule must be placed, together with other throttling rules that you might implement, at the top of the rule set. It should look as follows:
    Name
    Exclude 407 responses
    Criteria  Action
    Response.StatusCode equals 407 Stop Rule Set
  • Sending only logged Block actions — Block actions are crucial in maintaining web security, but usually account for only a small proportion of web traffic.
    To restrict the syslog data that is transferred to log files for these actions, add a rule in the rule set that you imported.
    The rule must be placed, together with other throttling rules that you might implement, at the top of the rule set. It should look as follows:
    Name
    Send only logged Block actions
    Criteria Action
    Block.ID equals 0 Stop Rule Set

Adding hashes of infected files to the syslog data

To the syslog data can be added the hash values of files that were processed on Web Gateway and found to be infected. File hashes can be useful for tracking infections and possible outbreaks.

NOTE: As hashing consumes a large amount of resources, we recommend using it only for important issues. If in doubt, consult Skyhigh Security support.

To enable the calculation and logging of file hashes, add an event to the rule that detects and blocks infected files. By default, this rule is Block if virus was found in the Gateway Anti-Malware rule set.

The event should look as follows:

Header.Block.Add('X-Hash-MD5, Body.Hash("md5"))

The Header.Block.Add event is a preconfigured event that you can select from the list of available events. It adds an entry to the syslog log when the rule that it is inserted in applies.

The event takes two parameters, which you must configure:

  • X-Hash-MD5 — Name of the log entry
  • Body.Hash("md5") — Value of the log entry
    This parameter is a property for calculating the hash value of a file. Here it calculates the hash value of the infected file that was sent to Web Gateway as the body of a request or response.
    The property takes itself a parameter, which determines the method for calculating the hash.

NOTE: If you are working with the key elements view for rule sets, you must switch to the complete rules view to add the event.

After adding the event, the blocking rule should look as follows.
Name
Block if virus was found

Criteria Action Events
Antimalware.Infected<Gateway
Anti-Malware>equals true
Block<Virus
Found>

Statistics.Counter.Increment
("BlockedByAntiMalware", 1)<Default>

Header.Block.Add ('X-Hash-MD5,
Body.Hash("md5"))

Disabling the aggregation of syslog data

When the Skyhigh Security SIEM Receiver receives syslog data from Web Gateway, this data is by default aggregated into a single record. While aggregation can be useful for many data sources, it could be undesirable for Web Gateway, as critical information might get lost during aggregation.

You can disable aggregation for Web Gateway data on Trellix ESM.

For more information, see the documentation for Trellix ESM and the Data Source Configuration Guide. The guide is provided in the online rule set library under SIEM (Nitro) Integration.

  • Was this article helpful?