...
| Seiteneigenschaften |
|---|
Description:
A SIEM system (Security Information and Event Management) serves to recognize threats in the network in real time and take appropriate countermeasures. For this purpose, the SIEM system gathers logs from network components and analyzes these.
This article describes how SIEM a SIEM system can be used with LANCOM R&S®Unified Firewalls in the LMC.
...
- Your LANCOM Unified Firewall must be managed by the LMC
- The Unified Firewall must be assigned to a site
- The Unified Firewall must be assigned the mode Gateway role Gateway
- Access to the LMC to update and roll out the configuration of the Unified Unified Firewall
- LCOS FX as of version 10.13 Rel (download latest version)
- Configured and functional SIEM system
| Info |
|---|
The SIEM implementation in the LMC has been successfully tested with the following SIEM systems:
|
Procedure:
1) Activate SIEM support in the LMC:
...
| Info |
|---|
You can find the Project ID in the LMC menu Management → Properties.
|
2) Provide IDPS messages of from the Unified Firewall for the SIEM system:
2.1) After activating SIEM support the Unified Firewall changes to the state Nicht aktuellstate Outdated. Roll out the configuration to the Unified Firewall, so that the IDPS alerts are provided.
| Info |
|---|
As of december 2024 only IDPS alerts are provided. Support for additional logs will be added in future LMC and LCOS FX versions. |
2.2) Connect to the Unified Firewall via the WEBconfig tunnel in the LMC and check in the menu Monitoring & Statistics → Settings, if the additional column LMC was rolled out and if the option is activate for active for IDPS Alert.
3) Generate a SIEM API Secret in the LMC:
3.1) In the LMC go to the menu Project services specifications → External services → SIEM and click on Create API Secret Key.
3.2) Copy the Secret Key and save it in a secure location. Enter the Secret Key in your SIEM system afterwards.
4) Example commands in the SIEM API:
| Info |
|---|
You can find the SIEM API documentation (swagger) under the following link: |
...
| Codeblock | ||
|---|---|---|
| ||
curl --request GET \ --url https://cloud.lancom.de/cloud-service-siem/accounts/<UUID of your LMC project>/logs \ --header 'HTTP/1.1 Host: cloud.lancom.de Authorization: LMC-API-KEY <API Secret Key from(see step 3>' \3)> |
| Codeblock | ||
|---|---|---|
| ||
curl --request GET \ --url https://cloud.lancom.de/cloud-service-siem/accounts/ea96d5d0-01f6-498a-b9ec-629be24eae9e/logs \ --header 'Authorization: LMC-API-KEY eyJraWQiOiIxIiwidHlwIjoiTE1DLUFQSS1LRVkiLCJhbGciOiJIUzI1NiJ9.3zezFHKzCYJlCgh-3V1KN0yEe8lTUQEE75DXc-Vv2Dc._93wf35NVk8Q6yt7omWzyohTgW58424tQzRFIPgr111' \ |
...
With the endpoint Offsets you can read out the number of the first logfile and the next unread logfile as well as the offset limit for the specified account.
| Codeblock | ||
|---|---|---|
| ||
curl --request GET \ --url https://cloud.lancom.de/cloud-service-siem/accounts/<UUID of your LMC project>/offsets \ --header 'HTTP/1.1 Host: cloud.lancom.de Authorization: LMC-API-KEY <API Secret Key from(see step 3>' \3)> |
| Codeblock | ||
|---|---|---|
| ||
curl --request GET \ --url https://cloud.lancom.de/cloud-service-siem/accounts/30995a43-3705-439a-9c2c-da1331bb5106/offsets \ --header 'Authorization: LMC-API-KEY eyJraWQiOiIxIiwidHlwIjoiTE1DLUFQSS1LRVkiLCJhbGciOiJIUzI1NiJ9.3zezFHKzCYJlCgh-3V1KN0yEe8lTUQEE75DXc-Vv2Dc._93wf35NVk8Q6yt7omWzyohTgW58424tQzRFIP11111' \ |
...
| Inhalt nach Stichwort | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|