SBN

SIEM Integration on the Indusface WAS

Indusface WAS integrates with all major Security Information & Event Management (SIEM) providers that integrate with Amazon S3.

With this integration, you can push logs from Indusface WAS into leading SIEM providers like SumoLogic, RSA, Splunk, and McAfee.

Given the complexity of modern architectures encompassing multiple security devices and environments, organizations increasingly rely on SIEM solutions. These solutions enable data aggregation, analysis, and visualization across diverse security systems.

Indusface’s AppTrana WAF has been offering SIEM integration for an extended period, and we are excited to introduce a seamless integration feature that allows you to feed vulnerability data from our web application scanner directly into your SIEM solution.

Forwarding WAS Log Data to SIEM

Indusface WAS sends the following logs into SIEM tools:

Claroty

Scan Logs

Scan logs refer to the records generated during the scanning process of a web application. These logs typically contain information about the scans performed, including details such as the date and time of the scan, the target URL or IP address and scan configurations, and any detected vulnerabilities or anomalies.

Vulnerability Logs

Vulnerability logs capture information related to identified vulnerabilities in a web application. These logs provide details about the specific vulnerabilities discovered during scans, such as the type of vulnerability, severity level, and affected components or systems. They serve as a valuable resource for monitoring and addressing security weaknesses in the application.

Indusface WAS sends a wide array of log data. Listed below are the key data that are common across all assessments:

Scan Logs Vulnerability Logs
ScanlogId
ServicType
ServiceId
URL
SealStatus
TotalFoundVulnerabilities
ScanStatus
ScanDate
UniqueAlertId
Title
Severity
OpenStatus
FoundOn – “URL”
FoundDate

Benefits of Integrating Indusface WAS with SIEM Tools

  • Enhanced threat detection and response: Real-time monitoring and analysis of vulnerability scan results enables you to identify and respond to potential threats faster.
  • Centralized visibility: You also get a centralized view of vulnerability data alongside other security events, facilitating comprehensive analysis and correlation for better decision-making.
  • Streamlined incident management: By combining vulnerability scan data with SIEM, you can prioritize, and address vulnerabilities based on their potential impact, leading to more efficient incident management processes.
  • Compliance and audit readiness: Integration helps you in meeting regulatory requirements by providing a holistic view of security events, vulnerabilities, and remediation efforts.

Steps to Integrate Indusface WAS with Your SIEM Tool 

Step 1: Indusface WAS Setup

Indusface WAS customers who want to enable the SIEM log feature must set up the integration with the S3 method on the Indusface WAS >> Settings >> SIEM Configuration.

Indusface WAS Setup for SIEM Integration

Click on the toggle button to Enable SIEM S3 Logs

Enable SIEM s3 Logs in Indusface WAS

 

The setup process for SIEM log integration entails SIEM AWS Account ID and SIEM External ID to set up a role-based access account in the Indusface AWS account:

Enable SIEM S3 Logs in Indusface WAS

 

You can get these details from SIEM tools where you want to integrate S3 logs.  For instance, the following steps describe creating a collector in Sumo Logic.

Step 2: Create a Sumo Logic Collector

In Sumo Logic, go to Manage Data >> Collection >> Collection and click Add Source

Role based access login in AWS

 

This can be an existing hosted collector or one you have created for this task. Here, we have selected our AWS source type – Amazon S3.

From Amazon S3 > > AWS Access >> Access Method, you can find the Account ID and External ID details.

Define a connection to your S3 bucket using the AWS ARN authentication

 

Use the Account ID and External ID in the respective fields of the Indusface WAS (Showed in Step: 1) and then click on the Submit button.

Enable SIEM S3 Logs in Indusface WAS

ARN Created Successfully in SIEM Integration

Once the ARN is created successfully, WAS will automatically display the details to integrate S3 logs into SIEM.

SIEM Config details from WAS

Step 3: Configuring Integration with Sumo Logic

To strengthen security measures, you must connect to your S3 bucket by using AWS Amazon Resource Name (ARN) authentication and an Identity and Access Management (IAM) role.

Go back to the Sumo Logic configuration page, and complete the integration form by filling in the appropriate details:

  • Provide a Name for the newly created Source. You may optionally include a Description.
  • Choose an S3 Region corresponding to the S3 bucket created in your Amazon account.
  • Enter the exact name of your organization’s S3 bucket in the “Bucket Name” field.
  • For the “Path Expression” field, enter the wildcard pattern that matches the S3 objects you intend to collect. You may utilize a single wildcard (*) in this string.

Configuring Integration with Sumo Logic

  • When selecting “AWS Access,” choose one of the two Access Method options, depending on the AWS authentication you provide. We recommend going for Role-based access.
  • In the “Role-based access” field, enter the Role ARN that AWS issued upon role creation. [This was completed in Step 2 – Create a Sumo Logic Collector]

AWS access details setup

  • In Log file discovery, you can specify a referred scanning frequency for your S3 bucket to detect new data.

Scan Interval Setup for Log Discovery

After you have finished the Source setup, remember to click Save to save your configurations.

View WAS Scan Logs on SIEM

Once the configuration is completed, you can view the Indusface WAS scan logs in your SIEM tool as shown below:

  • In the Collection page, hover over your collectors’ name, and a blue icon will be displayed, click on the icon.

How to view WAS Scan Logs on Sumo Logic?

  • Once the source collector is opened, select a time span, and click on the search icon to fetch the log record.

Select the time span for log discovery

  • Scan log details for the selected collector are displayed.

Displaying the Indusface WAS log data on SIEM

SIEM Integration Use Cases on Indusface WAS

Configuration Description
Enable SIEM S3 Logs If the button is enabled, logs will be stored.
Disable SIEM S3 Logs You can disable storing logs temporarily. If the button is disabled, logs will not be stored until you enable it.
Update You can update configuration details with new details
Delete Configurations You can delete the whole configuration

 

SIEM is an essential tool for any SOC, and integrating DAST scanners with SIEM tools is a best practice that world-class SOC teams follow. Leverage the integration today, and for any questions, write to [email protected].

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

The post SIEM Integration on the Indusface WAS appeared first on Indusface.

*** This is a Security Bloggers Network syndicated blog from Indusface authored by Gaurav Chauhan. Read the original post at: https://www.indusface.com/blog/siem-integration-on-the-indusface-was/