Secureworks Plugin for Log Shipper

Secureworks Plugin for Log Shipper

This document explains how to configure your Secureworks Taegis XDR instance with the Cloud Log Shipper module of the Netskope Cloud Exchange platform.

For Secureworks documentation, go to: https://docs.ctpx.secureworks.com/integration/connectCloud/netskope/

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances)
  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
  • A Secureworks instance.
  • Connectivity to the following host: https://ctpx.secureworks.com/.
Secureworks Plugin Support

This integration supports:

  • Events
  • Alerts
  • WebTx

Workflow

  1. Get your Secureworks Collector Information.
  2. Configure the Secureworks plugin.
  3. Configure the Log Shipper Business Rules for Secureworks.
  4. Configure the Log Shipper SIEM Mappings for Secureworks.
  5. Validate the Secureworks plugin.

To watch a demo, click play.

 

Get your Secureworks Collector Information

  1. Go to your Secureworks instance: https://ctpx.secureworks.com/login
    image1.png
  2. Enter your login credentials.
    image2.png
  3. Select your tenant from the top bar (highlighted below):
    image3.png
  4. Go to Integrations > Data Collectors.
    image4.png
  5. Click Add Collector to create a collector. Mainly, two types of collector can be created, on-premises and cloud-hosted.
    image5.png
  6. Click Next and add the required details.
  7. Click Create Collector.
  8. Download the .ova file and follow the Network Collector installation instructions. After successful installation, the collector status will be online.
  9. Click on the created collector and copy the IP Address. You will need this IP address as Secureworks Server in Netskope CLS configuration
    image6.png
  10. To use the collector on TLS, go to Applications >TLS enabled Syslog.
    image7.png
  11. Click Settings > Configure.
  12. Select the port 6514 from the dropdown.
  13. Follow the steps TLS Enabled Syslog Docs. to get the TLS certificates.
  14. Upload the PKCS12 file, enter your password, and click Save.
    image8.png
  15. Communication from Netskope to Secureworks will be successful on port 6514.

Configure the Secureworks Plugin

  1. In Cloud Exchange, go to Setting > Plugins.
  2. Search for and select the Secureworks button to open the plugin creation pages.
    image9.png
  3. Enter a Configuration Name.
  4. Select a valid Mapping. (Default Mappings for all plugins are available.
    image10.png
  5. Click Next.
  6. Enter your Collector IP address for the Secureworks Server, select the Secureworks Format and Secureworks Protocol, and then enter the Secureworks Port and Secureworks Certificate.
  7. Enter a Log Source Identifier. The Default value would be netskopece. The Log Source Identifier should not contain whitespaces. This will be added as a prefix to all logs.
    image11.png
  8. Click Save.
    image12.png

Configure Log Shipper Business Rules for Secureworks

  1. Go to Log Shipper > Business Rules.
    image13.png
  2. Click Create New Rule.
    image13.png
  3. Enter a Rule Name and select the filters to use.
  4. Click Save.
    image15.png

Configure Log Shipper SEIM Mappings for Secureworks

  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
  2. Select a Source Configuration, Business Rule, and Destination Configuration.
    image16.png
  3. Click Save.
    image17.png

Validate the Secureworks Plugin

To validate the plugin workflow, you can check in Netskope Cloud Exchange and in your Secureworks instance.

Validate in Netskope Cloud Exchange

Go to Logging.

image18.png

Validate in Secureworks

There are two ways:

Secureworks5.png
  1. Go to Integrations > Data Sources.
  2. You can also check the same from Integrations > Data Collectors. Thereafter, click on your data collector and enter the required query to search the data.
    image20.png
    image21.png

    To validate the Raw data user, go to Advanced search and write the query per the suggestions on the left.

    image22.png
    image23.png
Share this Doc

Secureworks Plugin for Log Shipper

Or copy link

In this topic ...