Fine-tuning the collection and evaluation of syslog data
Several fine-tuning activities can be performed to ensure that relevant syslog data is collected on Web Gateway and efficiently evaluated on Trellix ESM.
The amount of syslog data that is collected can be throttled by excluding less relevant data and restricting the process to logging only important events. Relevant data can also be added, however, to the syslog data by implementing additional logging activities.
On Trellix ESM, data aggregation can be disabled to ensure that no relevant data is overlooked.
Throttling the amount of syslog data
The amount of syslog data that Web Gateway sends to Trellix ESM can be throttled by taking, for example, the following measures.
- Excluding Authentication Required (status code 407) responses — These are standard responses that do not require much attention regarding web security.
To exclude these responses from the syslog data that is transferred, add a rule in the rule set that you imported.
The rule must be placed, together with other throttling rules that you might implement, at the top of the rule set. It should look as follows:
Name
Exclude 407 responsesCriteria Action Response.StatusCode equals 407 Stop Rule Set - Sending only logged Block actions — Block actions are crucial in maintaining web security, but usually account for only a small proportion of web traffic.
To restrict the syslog data that is transferred to log files for these actions, add a rule in the rule set that you imported.
The rule must be placed, together with other throttling rules that you might implement, at the top of the rule set. It should look as follows:
Name
Send only logged Block actionsCriteria Action Block.ID equals 0 Stop Rule Set
Adding hashes of infected files to the syslog data
To the syslog data can be added the hash values of files that were processed on Web Gateway and found to be infected. File hashes can be useful for tracking infections and possible outbreaks.
NOTE: As hashing consumes a large amount of resources, we recommend using it only for important issues. If in doubt, consult Skyhigh Security support.
To enable the calculation and logging of file hashes, add an event to the rule that detects and blocks infected files. By default, this rule is Block if virus was found in the Gateway Anti-Malware rule set.
The event should look as follows:
Header.Block.Add('X-Hash-MD5, Body.Hash("md5"))
The Header.Block.Add event is a preconfigured event that you can select from the list of available events. It adds an entry to the syslog log when the rule that it is inserted in applies.
The event takes two parameters, which you must configure:
- X-Hash-MD5 — Name of the log entry
- Body.Hash("md5") — Value of the log entry
This parameter is a property for calculating the hash value of a file. Here it calculates the hash value of the infected file that was sent to Web Gateway as the body of a request or response.
The property takes itself a parameter, which determines the method for calculating the hash.
NOTE: If you are working with the key elements view for rule sets, you must switch to the complete rules view to add the event.
After adding the event, the blocking rule should look as follows.
Name
Block if virus was found
Criteria | Action | Events |
---|---|---|
Antimalware.Infected<Gateway Anti-Malware>equals true |
Block<Virus Found> |
Statistics.Counter.Increment Header.Block.Add ('X-Hash-MD5, |
Disabling the aggregation of syslog data
When the Skyhigh Security SIEM Receiver receives syslog data from Web Gateway, this data is by default aggregated into a single record. While aggregation can be useful for many data sources, it could be undesirable for Web Gateway, as critical information might get lost during aggregation.
You can disable aggregation for Web Gateway data on Trellix ESM.
For more information, see the documentation for Trellix ESM and the Data Source Configuration Guide. The guide is provided in the online rule set library under SIEM (Nitro) Integration.