Secureworks Plugin for Log Shipper
This document explains how to configure your Secureworks Taegis XDR instance with the Cloud Log Shipper module of the Netskope Cloud Exchange platform.
For Secureworks documentation, go to: https://docs.ctpx.secureworks.com/integration/connectCloud/netskope/
This integration supports:
Events
Alerts
WebTx
To complete this configuration, you need:
A Netskope Tenant (or multiple, for example, production and development/test instances)
A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
A Secureworks instance.
Connectivity to the following host: https://ctpx.secureworks.com/.
Get your Secureworks Collector Information.
Configure the Secureworks plugin.
Configure the Log Shipper Business Rules for Secureworks.
Configure the Log Shipper SIEM Mappings for Secureworks.
Validate the Secureworks plugin.
To watch a demo, click play.
Go to your Secureworks instance: https://ctpx.secureworks.com/login
Enter your login credentials.
Select your tenant from the top bar (highlighted below):
Go to Integrations > Data Collectors.
Click Add Collector to create a collector. Mainly, two types of collector can be created, on-premises and cloud-hosted.
Click Next and add the required details.
Click Create Collector.
Download the .ova file and follow the Network Collector installation instructions. After successful installation, the collector status will be online.
Click on the created collector and copy the IP Address. You will need this IP address as Secureworks Server in Netskope CLS configuration
To use the collector on TLS, go to Applications >TLS enabled Syslog.
Click Settings > Configure.
Select the port 6514 from the dropdown.
Follow the steps TLS Enabled Syslog Docs. to get the TLS certificates.
Upload the PKCS12 file, enter your password, and click Save.
Communication from Netskope to Secureworks will be successful on port 6514.
In Cloud Exchange, go to Setting > Plugins.
Search for and select the Secureworks button to open the plugin creation pages.
Enter a Configuration Name.
Select a valid Mapping. (Default Mappings for all plugins are available.
Click Next.
Enter your Collector IP address for the Secureworks Server, select the Secureworks Format and Secureworks Protocol, and then enter the Secureworks Port and Secureworks Certificate.
Enter a Log Source Identifier. The Default value would be netskopece. The Log Source Identifier should not contain whitespaces. This will be added as a prefix to all logs.
Click Save.
Go to Log Shipper > Business Rules.
Click Create New Rule.
Enter a Rule Name and select the filters to use.
Click Save.
Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
Select a Source Configuration, Business Rule, and Destination Configuration.
Click Save.
To validate the plugin workflow, you can check in Netskope Cloud Exchange and in your Secureworks instance.
To validate from Netskope Cloud Exchange, go to Logging.
 |
To validate from the Secureworks instance, there are two ways:
Go to Integrations > Data Sources.
You can also check the same from Integrations > Data Collectors. Thereafter, click on your data collector and enter the required query to search the data.
To validate the Raw data user, go to Advanced search and write the query per the suggestions on the left.
