Collectors

Enginsight provides a diverse range of collector types that allow for comprehensive data collection. Within the Enginsight system, there are a total of three main types of collectors: Receiving Collectors, Relationship Collectors, and Integrated Collectors. These different collectors act as Pulsar Agents, actively on a mission to collect valuable data to ensure comprehensive insights into the system landscape.

General Collectors

General collectors act as primary data collection points in Enginsight SIEM. They open ports and receive external logs through those ports. It does not matter where the agent is located in the network - even in isolated networks without external access. The only critical requirement is that the firewall allows data transfer to these ports and the agent has the authority to send this data to the API.

Event Relais

In order for the agent acting as event relays to be able to receive data from the firewall, you must allow it to open a port. To do this, go to Hosts, click on the host in question to get to the detailed view. Now go to "Settings" in the left sidebar under Miscellaneous, open the "Advanced Settings" and then check "Allow analysis of system logs".

Assign a unique name and write a short description. Next, specify a host that will serve as the receive collector. By default, the "bind address" is set to 0.0.0.0. to receive data from the internal and external network. Alignment to an internal IP address is also possible, to leave external IPs out of the consideration, enter a desired IP for this purpose. Select under "Protocol" between UDP and TCP. Under "Format" you specify with which syslog format the incoming data should be parsed.

It is mandatory that the specifications of your Event Relay match those of your connected firewall. Set them within the firewall settings. If you cannot set the data manually at the firewall, please use the default settings: Port: 514 Format: RFC3164

If your network contains several RFC formats, it is also possible to install several event relays via different ports on one agent. Please note that in this case different ports must be used in order not to negatively influence the function of the affected event relays!

Finally, click "Add Collector" to save your created event relay.

The data transfer between Event Relay and API runs under GZIP Level 9, which results in a data compression ratio of about 20 to 1 to save your resources.

ESET Event Relais

Please note that you must define templates for ESET manually. To do this, follow the instructions below.

In Eset Protect Management, go to "Settings" via "More". Enter the corresponding values under Syslog Server.

Now switch to your notifications. And create separate notifications for each event type.

Under "Basic", proceed as shown in the following diagram. Make sure that the notifications are activated and assign names (these are freely selectable and are only used for the overview). The event type is defined in the top line and the syslog event in the 2nd line:

Switch to "Configuration" and select the appropriate event type under Category.

Now switch to "Distribution" and allow the sending of syslogs.

Then enter the corresponding template for the notification in the "Content" sub-item. Proceed according to the following scheme (event type (line 1) and the syslog template (full line 2)).

Scan:
4 - "${computer_name}"|"${severity}"|"${timestamp}"|"${scanned_targets}"|"${scanned}"|"${infected}"|"${cleaned}"|"${status}"|"${completion}"|"${scanner}"|"${user}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

HIPS:
6 - "${computer_name}"|"${severity}"|"${timestamp}"|"${application}"|"${operation}"|"${target}"|"${action}"|"${rule_name}"|"${occurrences}"|"${user}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

ESET INSPECT alert:
8 - "${computer_name}"|"${severity}"|"${timestamp}"|"${process_name}"|"${user}"|"${rule_name}"|"${occurrences}"|"${ei_console_link}"|"${hash}"|"${detection_handled}"|"${severity_score}"|"${computer_severity_score}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Firewall detection:
7 - "${computer_name}"|"${severity}"|"${timestamp}"|"${firewall_event}"|"${ip_address}"|"${src_address_type}"|"${src_port}"|"${tgt_address}"|"${tgt_address_type}"|"${tgt_port}"|"${protocol}"|"${inbound_comm}"|"${user}"|"${process_name}"|"${rule_name}"|"${detection_name}"|"${occurrences}"|"${detection_handled}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Computer identity recovered:
9 - "${timestamp}"|"${source_computer_name}"|"${target_computer_name}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Computer first connected:
10 - "${timestamp}"|"${computer_name}"|"${is_hardware_detection_enabled}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Antivirus detection:
1 - "${computer_name}"|"${severity}"|"${timestamp}"|"${detection_type}"|"${detection_name}"|"${scanner}"|"${virus_db}"|"${object_type}"|"${object_uri}"|"${action_performed}"|"${action_error}"|"${detection_handled}"|"${restart_required}"|"${user}"|"${process_name}"|"${circumstances}"|"${first_seen_time}"|"${hash}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Blocked File:
2 - "${computer_name}"|"${severity}"|"${timestamp}"|"${object_uri}"|"${description}"|"${cause}"|"${action}"|"${process_name}"|"${user}"|"${hash}"|"${first_seen_time}"|"${detection_handled}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

Computer cloning question created:
3 - "${timestamp}"|"${source_computer_name}"|"${target_computer_name}"|"${computer_sg_parent}"|"${computer_sg_hierarchy}"|"${notification_name}"

New MSP customer found:
5 - "${timestamp}"|"${msp_customer_name}"|"${msp_company_name}"|"${notification_name}"

Log files

Use the log files to isolate relevant security information from the log files of various systems that are not able to send independently via event relays.

Create a new collector via Add collector. Assign a unique name and a short description. The default setting is that the collector should send logs. If you do not want this, deactivate the function by clicking on the button. Then define a host assignment. Decide here between:

Reference: Then define at least one host from which the logs are to be recorded.
or Tags: Then define at least one tag from which to apply.

Finally, define at least one extractor for your log files, create the relevant file paths and add your collector by clicking on the relevant button.

API Collectors

These collectors extract data from connected cloud applications and actively transmit it to the SIEM, expanding the scope of overall data collection.

Create Microsoft Office 365 Collector

To connect your Office logs to the Enginsight SIEM, you must first create an API key in your Microsoft Office application. To do this, follow the instructions below.
After you have created your key, the permissions under Microsoft Azure must be set as follows:

Finally, create a collector in your SIEM. Assign a unique name and a short description for the collector. Then specify whether the collector can send logs. Select a host from the drop-down menu under "Host". Enter one or more "Channels" to be monitored and add the "Tenant ID" and the "Client ID". Once you have finally decided on the "Authentication method" (secret or certificate), you can save the changes you have made and add the collector by clicking on the "Save changes" button.

You can find your client ID/tenant ID in Microsoft Azure under: "App registration"-"All applications", then click on the corresponding entry. Now take the client ID from this view and add it accordingly when setting up your collector.

Confluence (Atlassian) Collector

Go to the Atlassian administration via the administrator account. Click on your abbreviation in the top right-hand corner to select the "Manage account" option in the menu that appears. Now select the "Settings" tab in the navigation bar. Once in the view, you can now easily create a new API key by pressing the button.

Then create a collector in Enginsight SIEM, select the relevant host and enter the corresponding tenant ID. Add the collector by saving your settings.

Host Collectors

The Host Collectors collect logs directly from the operating system using the already installed agents. This enables seamless data collection that directly accesses existing resources and provides a comprehensive view of system activity.

Create Integrated Collectors

Assign a relevant name and a short description. Use the button below to specify whether the collector should be able to send logs on its own. Under "Host assignment" you can now specify tags and list all tags below that should count for this collector or you can decide for "Reference" and then specify explicit hosts for which the collector applies.

Create Windows event log collector

Select from the default channels which you want to monitor and add more channels via the button with just a few clicks.

Integrate Exchange Logs

Easily integrate Exchange Logs. To do this, find the log name (via your Windows event viewer) of the channel you want, copy the exact name and add it under "Add Custom Channel".

Create Unified Logs (macOS) collector

Again, select from the default channels at logLevels.de. Please note that unified logs result in a considerable amount of data and we therefore strongly recommend activating Fault by default.

Create Syslog (Linux) Kollektor

Again, select from the default channels at logLevels.de. Please note that unified logs result in a considerable amount of data and we therefore strongly recommend activating Fault by default.

PreviousExtractors NextAlerts

Last updated 19 hours ago