Experience the ultimate saas funnel for Security

How to create outlook signature

hello again everyone my name is Sana Ahmed I'm a network Security customer success engineer and the topic for today's webinar is best practices for integrating API client and syslog for SAS security API so what to expect in the next 16 minutes uh we will be sharing some useful resources and what's new inside security we will also be sharing some best practices for integrating syslog and API client on SAS security API now this will be followed by a question and answers session please feel free to enter your questions in the question answer chat box and we will be addressing those at the end now our first topic is syslog and API client integration on SAS security API now before we begin I would like to quickly overview with you what is this log and what is an API client now syslaw can be defined as a message logging standard through which any application or device can send data about events Diagnostics and more now syslog itself relies on as a stock server the slog server is used to collect the slot messages in a single location some may be physical appliances meant for large-scale environments and others may be software-based services or application now please note Tesla communicates via Port 514 yudp now what is an API client an API client is a set of tools and protocols that operate from an application on a computer you can configure an API client to put log information from SAS security API and perform additional actions an example of a third-party API client is cortex xor now just log in API client integration on SAS security API you can configure a search security API to interface with the stock servers and API clients organizations that have standardized on a specific security information and rent management tool can leverage this feature for monitoring data collection and other workflows now syslog receiver with the SAS security system of integration you can add a syslog receiver for example Splunk to enable SAS security API to push log information to external log servers and API client which are security API client integration you can add a third-party API client for example cortex excerpt to put log information from SAS security API and perform incident intermediation actions now please note that SAS security API supports once this log receiver or one API Client app with access to log data you need to delete the existing configuration before you add a new one if you want to use both Splunk in cortex xor directly connects plan to Cortex xor using the Splunk integration you need to create a client ID and client secret or cortex xor to directly connect to SAS security API now our next stop is topic is syslog integration on SAS security API now if this log is a standard lock transport mechanism that enables the aggregation of log data from different sources into a central repository for archiving so our security API can forward every type of log in generates to an external system server this does not feature requires TLS 1.0 and above Communications protocol for connections between SAS security API indexed analysis lock server in this topic we will describe how to configure syslog monitoring and we'll be sharing with you a description of supported log types and log files now configuring syslog monitoring on flash security API SAS security API supports the following log types which is incident song policy violation log remediation log activity monitoring log and admin audit log now what you need to do is you need to go to the settings page and choose external service then you need to click on adding assist log receiver to create a sysdog server profile now you can add One external so only one you can add only external service when you forward the logs to assist log receiver or add Cloud apps to SAS security API then you need to enter a name for the profile the adding information on SAS security API require you can add you need to add the following information uh to to connect it to start security API you need to enter a name you need for the server profile you need to enter server IP IP address of the syslog server you need to enter a report the port number on which you sent us now messages then you need to enter a facility select assist log standard value for example log underscore user to calculate the priority field in your system logs of implementation you need to choose a message format uh so you need to select the syslog message format to use BSD or ietf then once you hit save your changes will be saved now on the syslog server you get sales on your server and create the SSL certificate then you can enable TLS in this lock configurations setting the TLs option to peer verify and number seven is an optional step but you can customize the format of syslog messages that the SAS Security Service sends you can select the custom lock format Tab and you can select a log tie to create a custom format once you click OK you can save your changes now our next topic is sysdog field descriptions now in this topic we will be sharing the list of the standard fields of each log type SAS security API can forward to an external server as well as a security levels custom formats and Escape sequences now in order to help parsing the delimiter is a comma and each field is a comma separated value string I will also be posting the links in the chat for the description document as there are a lot of field names now the first one is incident lock Fields the incident log is generated when an incident is detected the log includes fields that will be shared in the documentation which are available for ingestion by a security information when management system now please note that files are listed in the order they are needed in the push the fields are listed in the order they're needed in the push mode the remediation activity log Fields a remediation log is generated when an incident is manually remediated or of automatic remediation is applied again the log includes the fields which will be shared in the documentation which are available for ingestion by our security information event management system please note that these fields are listed in the order that are needed for portion mode now policy violation log fails the policy violation log is generated when asset matches a policy rule the log includes the field shared in the documentation which are available for ingestion again Fire Security information event management system similarly no you need please know that these fields are listed in the order that are needed for push mode the activity monitoring log Fields the activity monitoring log is generated when a user activity rule is matched and admin audit log Fields the admin audit log is generated when SAS security API administrator performs an action such as a remediation of an incident creating a new policy rule or adding internal external collaborators the log includes the following fields which are available for ingestion biosecurity information when management system now again similarly to like the previous Fields please note that these fields are also listed in the order that they're needed for push mode Now API client integration on SAS security API the Star Security API includes a rest API to give you the ability to write API clients to integrate with SAS please note our security is hosted in the United States now in this topic we will be further discussing cortex xor for SAS security API adding your API client to SAS security API is the Atlanta authentication and API references on SAS security API now cortex xor for SAS security API now before we begin this topic I would just like to share with you what is cortex at so now cortex xor is a comprehensive security orchestration automation response platform that unifies case management automation real-time collaboration and threat Intel management to serve security teams across the incident life cycle now so our security API is now available on the cortex external marketplace with this security integration cortex xor collects incidents from SAS security API for improved security orchestation and Incident Management and Remediation of risks posed by data exfiltration on your organization sanctions as applications now in addition to the Incident Management and incident lifecycle capabilities that xsource offers with SAS security when would start security playbooks you can take actions on incidents just as you do now on SAS security web interface now these include closing incidents on cortex export using the same closed states to which you're customed you can remove public sharing links on assets you can quarantine assets you can restore quarantine assets you can send email notifications to start security administrators to request remediation of incidents and you can notify asset owners and provide remediation options to SAS security administrators to resolve incidents foreign security appears now you can configure a third-party API client for example cortex xor to authenticate to SAS security API using oauth connection for efficient Incident Management in remediation to do so you must first add an API client on SAS security API to retrieve the client ID and client secret that your API account was authentication when you add the API clients have security API you specify The Incident Management and Remediation access you want to Grant the third party API client now you can only connect one third-party up line for that you need to go to settings and choose external service you then need to click on ADD Client app then you need to enter unique neighbor API client then you need to authorize the API client for specific Scopes the Scopes are for log access and Incident Management and quarantine management now you can use these Scopes in the post request to the or endpoint you can save your changes to Grants as security API the ability to generate and display a client ID and a client secret now please note that you need to immediately record the client secret that displays after dismissal you cannot access the client secret again so configure your API client with the client ID and client secret to authenticate your API client to start security API Now API client Authentication now for API client to authenticate the Star Security API you must provide a client ID and client secret generated when you register the API client to start security API and you need to configure the client to retrieve on or all requests must use the region specific host with https in in America's apachea now to get started we'll be sharing with you how to retrieve a in water authentication errors now the API client can retrieve a for SAS security API using post request now to request the SAS security APS submits the request with the old client credentials now again I will be sharing the documentation requesting headers requesting parameters and response Fields as there are many headers parameters and response fields and it may not be possible to cover them all now authentication and errors the authentication errors include the no basic auth header if you will not include the basic auth header when retrieving a it will result in a 401 response to resolve the issue you need to see the documentation on how to retrieve the please know that all requests must use the region specific host Now API references on a security API the HTTP request methods and log events API can use to retrieve events are HTTP request method and status code login is API incident and Remediation API now HTTP request methods and Status codes now for that again I will be sharing a documentation with you on various request methods and HTTP status codes that can be used to retrieve or modify resources on SAS security API as again it may not be possible to cover them all since there are many a registered API client on SAS security API can lock all the log events endpoint to retrieve events as they occur you can retrieve the following log events please please know that all the request must use the region specific host uh but the following log events that you can retrieve are activity monitoring incidents remediation policy violation and admin audit now incident and Remediation API a registered API client on SAS security API can manage incident State and perform remediation actions based on the asset related to the corresponding incident now with incident apis scope on SAS security API you can retrieve and update incident status and with remediation API scope on SAS security API you can quarantine asset to the administrators folder for immediate review and assessment and restore quarantine Assets Now again please know that all the requests must use the region specific host I will be sharing the documentation for all the API references on SAS security API in the chat so you can study them in detail now this brings us to the end of our webinar please feel free to post any questions in the chat box and we should be able to answer them for you thank you