December 12, 2023

Integrating Sycope Audit Logs with SIEM for Enhanced Compliance and Monitoring

One of the security best practices is to store and analyze that information in a centralized location, like a SIEM.

Nowadays, audit logs are essential for security and compliance requirements in almost every organization, and it is one of the security best practices to store and analyze that information in a centralized location, such as SIEM.

All information in Sycope regarding both collected data form NetFlow plus Security module alerts, system notifications and audit logs are stored in proprietary Sycope database, divided into separate collections called data streams. Data within data stream can be access by proprietary query language - NQL. Using API, via Postman or an external script for example utilizing Python, we may use NQL to request data from data stream called "audit log", that stores information about system and user actions and send them to IP address of SIEM as a json file.

To prepare such integration, we must follow 3 relatively simple steps:

1) Creating user for executing NQL request,

2) Preparing function that will authenticate the user,

3) Preparing function that will and execute NQL request for audit log data stream, enrich and send the extracted audit log to SIEM.

1. Creating user for executing NQL request,

As a first step, according to security best practices, I strongly recommend creating user dedicated solely for this kind of integration. We should create a local user and role that will be defining his access to the system resources. Thanks to Sycope granular RBAC functionality we can create role that will not have any access to Web UI elements and with additional restrictions for all data streams except necessary audit log. In this example local user created for integration is called auditor and the role that he is using is called Auditor.

To authenticate the user and for NQL query execution, we use two API endpoints:

First: https://<sycope_ip>/login for authentication\ for auth and cookie generation,

Second: https://<sycope_ip>/pipeline/run for query execution.

Using login endpoint, we are acquiring session cookie used for authentication of following requests to pipeline/run endpoint. Login credentials (username and password) must be provided within the body of our HTTP POST request. Returned cookie must be saved and used in the header of every following request. An example of a function created in Python that executes the login request is presented below.

2. Preparing function that will authenticate the user.

Next, we should create an HTTP request body which will include NQL request to execute to get audit log entries. Example of such body is presented below.

Start time and end time must be variables which epoch values that will be calculated as previous minute at every integration script execution. This will ensure that we access the most recent messages and won't double entries that we already exported to SIEM.

The proposition of a function based on python request library that will execute our payload with NQL query included is presented below.

3. Preparing function that will and execute NQL request for audit log data stream, enrich and send the extracted audit log to SIEM.

The last step is to parse the downloaded logs, enrich them in any additional information that may be required by SIEM administrators, and send them to the destination address of SIEM.

The most suitable way to run this kind of integration is to use Crontab or Task Scheduler, with script execution set for every one minute. This should ensure that the script will export log messages from the previous minute and wouldn’t double messages in the destination system.

Conclusion:

In conclusion, the significance of audit logs in today's organizational security landscape cannot be overstated. As a fundamental component of security and compliance practices, storing and analysing this critical information in a centralised centralized location, such as a Security Information and Event Management (SIEM) system, has become a best practice.

Within Sycope, all pertinent information, including data from NetFlow, Security module alerts, system notifications, and audit logs, is meticulously stored in the proprietary Sycope database. This data is organized into distinct collections known as data streams, accessible through the proprietary query language, NQL. Leveraging NQL via API, tools like Postman, or external scripts like Python, allows for the extraction and transmission of audit log data to the designated SIEM IP address in JSON format.

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.