Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco Security Agent (CSA)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Trap

Rules

FortiSIEM uses these rules to monitor events for this device:

Rule Description
Agent service control Attempts to modify agent configuration
Agent UI control Attempts to modify agent UI default settings, security settings, configuration, contact information
Application control Attempts to invoke processes in certain application classes
Buffer overflow attacks
Clipboard access control Attempts to acccess clipboard data written by sensitive data applications
COM component access control Unusual attempts to access certain COM sets including Email objects
Connection rate limit Excessive connections to web servers or from email clients
Data access control Unusual attempts to access restricted data sets such as configuration files, password etc. by suspect applications
File access control Unusual attempts to read or write restricted files sets such as system executables, boot files etc. by suspect applications
Kernel protection Unusual attempts to modify kernel functionality by suspect applications
Network access control Attempts to connect to local network services
Network interface control Attempts by local applications to open a stream connection to the NIC driver
Network shield Attacks based on bad IP/TCP/UDP/ICMP headers, port and host scans etc
Windows event log
Registry access control Attempts to write certain registry entries
Resource access control Symbolic link protection
Rootkit/kernel protection Unusual attempts to load files after boot
Service restart Service restarts
Sniffer and protocol detection Attempts by packet/protocol sniffer to receive packets
Syslog control Syslog events
System API control Attempts to access Windows Security Access Manager (SAM)

Reports

There are no predefined reports for Cisco Security Agent.

Configuration

SNMP Trap

FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

Example SNMP Trap

2008-05-13 11:00:36 192.168.1.39 [192.168.1.39]:SNMPv2-MIB::sysUpTime.0 = Timeticks: (52695748) 6 days, 2:22:37.48 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.8590.3.1 SNMPv2-SMI::enterprises.8590.2.1 = INTEGER: 619 SNMPv2-SMI::enterprises.8590.2.2 = INTEGER: 261 SNMPv2-SMI::enterprises.8590.2.3 = STRING: "sjdevVwindb06.ProspectHills.net"SNMPv2-SMI::enterprises.8590.2.4 = STRING: "2008-05-13 19:03:21.157" SNMPv2-SMI::enterprises.8590.2.5 = INTEGER: 5 SNMPv2-SMI::enterprises.8590.2.6 = INTEGER: 452 SNMPv2-SMI::enterprises.8590.2.7 = STRING: "C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"SNMPv2-SMI::enterprises.8590.2.8 = NULL SNMPv2-SMI::enterprises.8590.2.9 = STRING: "192.168.20.38"SNMPv2-SMI::enterprises.8590.2.10 = STRING: "192.168.1.39"SNMPv2-SMI::enterprises.8590.2.11 = STRING: "The process 'C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe' (as user NT AUTHORITY\\SYSTEM) attempted to accept a connection as a server on TCP port 5900 from 192.168.20.38 using interface Wired\\VMware Accelerated AMD PCNet Adapter. The operation was denied." SNMPv2-SMI::enterprises.8590.2.12 = INTEGER: 109 SNMPv2-SMI::enterprises.8590.2.13 = STRING: "192.168.1.39" SNMPv2-SMI::enterprises.8590.2.14 = STRING: "W"SNMPv2-SMI::enterprises.8590.2.15 = INTEGER: 3959 SNMPv2-SMI::enterprises.8590.2.16 = INTEGER: 5900 SNMPv2-SMI::enterprises.8590.2.17 = STRING: "Network access control"SNMPv2-SMI::enterprises.8590.2.18 = STRING: "Non CSA applications, server for TCP or UDP services"SNMPv2-SMI::enterprises.8590.2.19 = INTEGER: 33 SNMPv2-SMI::enterprises.8590.2.20 = STRING: "CSA MC Security Module"SNMPv2-SMI::enterprises.8590.2.21 = NULL SNMPv2-SMI::enterprises.8590.2.22 = STRING: "NT AUTHORITY\\SYSTEM"SNMPv2-SMI::enterprises.8590.2.23 = INTEGER: 2

Cisco Security Agent (CSA)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Trap

Rules

FortiSIEM uses these rules to monitor events for this device:

Rule Description
Agent service control Attempts to modify agent configuration
Agent UI control Attempts to modify agent UI default settings, security settings, configuration, contact information
Application control Attempts to invoke processes in certain application classes
Buffer overflow attacks
Clipboard access control Attempts to acccess clipboard data written by sensitive data applications
COM component access control Unusual attempts to access certain COM sets including Email objects
Connection rate limit Excessive connections to web servers or from email clients
Data access control Unusual attempts to access restricted data sets such as configuration files, password etc. by suspect applications
File access control Unusual attempts to read or write restricted files sets such as system executables, boot files etc. by suspect applications
Kernel protection Unusual attempts to modify kernel functionality by suspect applications
Network access control Attempts to connect to local network services
Network interface control Attempts by local applications to open a stream connection to the NIC driver
Network shield Attacks based on bad IP/TCP/UDP/ICMP headers, port and host scans etc
Windows event log
Registry access control Attempts to write certain registry entries
Resource access control Symbolic link protection
Rootkit/kernel protection Unusual attempts to load files after boot
Service restart Service restarts
Sniffer and protocol detection Attempts by packet/protocol sniffer to receive packets
Syslog control Syslog events
System API control Attempts to access Windows Security Access Manager (SAM)

Reports

There are no predefined reports for Cisco Security Agent.

Configuration

SNMP Trap

FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

Example SNMP Trap

2008-05-13 11:00:36 192.168.1.39 [192.168.1.39]:SNMPv2-MIB::sysUpTime.0 = Timeticks: (52695748) 6 days, 2:22:37.48 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.8590.3.1 SNMPv2-SMI::enterprises.8590.2.1 = INTEGER: 619 SNMPv2-SMI::enterprises.8590.2.2 = INTEGER: 261 SNMPv2-SMI::enterprises.8590.2.3 = STRING: "sjdevVwindb06.ProspectHills.net"SNMPv2-SMI::enterprises.8590.2.4 = STRING: "2008-05-13 19:03:21.157" SNMPv2-SMI::enterprises.8590.2.5 = INTEGER: 5 SNMPv2-SMI::enterprises.8590.2.6 = INTEGER: 452 SNMPv2-SMI::enterprises.8590.2.7 = STRING: "C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"SNMPv2-SMI::enterprises.8590.2.8 = NULL SNMPv2-SMI::enterprises.8590.2.9 = STRING: "192.168.20.38"SNMPv2-SMI::enterprises.8590.2.10 = STRING: "192.168.1.39"SNMPv2-SMI::enterprises.8590.2.11 = STRING: "The process 'C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe' (as user NT AUTHORITY\\SYSTEM) attempted to accept a connection as a server on TCP port 5900 from 192.168.20.38 using interface Wired\\VMware Accelerated AMD PCNet Adapter. The operation was denied." SNMPv2-SMI::enterprises.8590.2.12 = INTEGER: 109 SNMPv2-SMI::enterprises.8590.2.13 = STRING: "192.168.1.39" SNMPv2-SMI::enterprises.8590.2.14 = STRING: "W"SNMPv2-SMI::enterprises.8590.2.15 = INTEGER: 3959 SNMPv2-SMI::enterprises.8590.2.16 = INTEGER: 5900 SNMPv2-SMI::enterprises.8590.2.17 = STRING: "Network access control"SNMPv2-SMI::enterprises.8590.2.18 = STRING: "Non CSA applications, server for TCP or UDP services"SNMPv2-SMI::enterprises.8590.2.19 = INTEGER: 33 SNMPv2-SMI::enterprises.8590.2.20 = STRING: "CSA MC Security Module"SNMPv2-SMI::enterprises.8590.2.21 = NULL SNMPv2-SMI::enterprises.8590.2.22 = STRING: "NT AUTHORITY\\SYSTEM"SNMPv2-SMI::enterprises.8590.2.23 = INTEGER: 2