WatchGuard Firebox整合

記錄收集器防火牆

您可以將 WatchGuard Firebox 與 Sophos Central 整合，讓其將資料傳送至 Sophos。

本頁面提供此整合功能的概覽。

WatchGuard Firebox 產品簡介

WatchGuard 提供一系列易於部署和管理的防火牆，專為各種規模的企業量身打造。他們的解決方案專注於進階威脅偵測和回應，透過針對網路活動提供快速可見性以及威脅情報得到支援。

Sophos 文件資訊

整合 WatchGuard Firebox

資料擷取內容

Sophos 可擷取的範例警示包括：

blocked sites (reason IP scan attack)
ProxyDeny: DNS invalid number of questions
Authentication of ACCOUNT_TYPE user [USERNAME] from IP_ADDRESS was rejected, received an Access-Reject response from the (IP_ADDRESS) server
blocked sites (TOR blocking source)
SSL VPN user NAME from IP_ADDRESS logged in assigned virtual IP is IP_ADDRESS
Rogue Access Point detected at MAC, broadcasting SSID NAME
Authentication error. no matching session found for USERNAME.
Device already has the latest TYPE signature version VERSION
ProxyDrop: HTTP Virus found
ProxyStrip: HTTP header malformed
Cannot start the signature update for 'TOR'
Certificate (CERTIFICATE) is not valid.
ProxyDeny: SMTP To address
Wireless country specification from LiveSecurity Service was not received: error can't get country spec response from LiveSecurity Service, (retry_countN)
Manual MICROSOFT365 update started
'LIVESECURITY' feature expired (DATE) prior to package release date (DATE)
sendalarm: failed to send alarm message
blocked sites (ThreatSync destination)
WEB Microsoft IIS HTTP.sys Remote Code Execution Vulnerability (CVE-2015-1635)
WEB Apache HTTPD mod_proxy_ajp Denial Of Service (CVE-2011-3348)
Shutdown requested by system
VIRUS Eicar test string N
DDOS from client IP_ADDRESS detected.
WEB PHPUnit CVE-2017-9841 Arbitrary Code Execution Vulnerability
SSH Brute Force Login N

資料篩選

我們按以下方式篩選警示：

代理程式篩選

我們允許所有日誌。
我們刪除各種高頻率但低價值的指定訊息。

平台篩選

我們允許有效的LEEF。
我們刪除多項經審查後確認與安全性無關的訊息與日誌。
我們刪除各種高頻率但低價值的指定訊息。

威脅對應範例

我們使用其中一個欄位來決定警示類型，取決於警示分類及其包含的欄位。

fields.msg
fields.IPS_rule
leef.eventID

"value": "=> !isEmpty(fields.msg) ? is(fields.msg, 'IPS detected') ? searchRegexList(fields.IPS_rule, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ?  searchRegexList(fields.IPS_rule, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) :  fields.IPS_rule : searchRegexList(fields.msg, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(fields.msg, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : fields.msg : getNestedValue(_.referenceValues.code_translation, 'alert_translation', leef.eventId) ? getNestedValue(_.referenceValues.code_translation, 'alert_translation', leef.eventId) :  getNestedValue(_.globalReferenceValues.code_translation, 'alert_translation', leef.eventId) ? getNestedValue(_.globalReferenceValues.code_translation, 'alert_translation', leef.eventId) : leef.eventId"

範例對應項目如下：

{"alertType": "ProxyAllow: HTTP Range header", "threatId": "T1498", "threatName": "Network Denial of Service"}
{"alertType": "Scheduled GAV update started", "threatId": "TA0005", "threatName": "Defense Evasion"}
{"alertType": "IPS detected", "threatId": "T1562.001", "threatName": "Disable or Modify Tools"}