Documentation Center
AlienVault® USM Anywhere™

CloudPassage Halo

 

When you configure CloudPassage Halo integration to send log data to USM Anywhere, you can use the CloudPassage Halo plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor

CloudPassage

Device type Unified threat management
Connection type syslog
Vendor link See the Common Event Format Configuration Guide for Python on https://github.com/cloudpassage/halo-event-connector-python.

Integrating CloudPassage Halo

Before you configure the integration, you must have:

  • Reachability of the USM Anywhere Sensor
  • IP address of the USM Anywhere Sensor
  • Access to your CloudPassage API key
  • Python 2.6 or above
  • Event Connector script and its associated files

The Event Connector retrieves events from your CloudPassage Halo account by making calls to the CloudPassage API. The API requires the script to authenticate itself during every session. For this purpose, you must make your CloudPassage API Key available to the script.

To configure CloudPassage Halo to send log data over syslog to USM Anywhere

  1. Place all the halo-event-connector script files in the same location. These consist of the following:

    • haloEvents.py
    • cpapi.py and cputils.py
    • (Windows users only) remote_syslog.py
  2. Create a file called haloEvents.auth and place it in the same location as the other files.
  3. Retrieve and save your CloudPassage API key by following these steps:

    1. Log into the CloudPassage Portal.
    2. Go to SETTINGS > Site Administration and click the API Keys tab. If you haven’t generated an API key yet, do so by clicking Add New Key.

      If you do create an API Key, we recommend that you make the permission Read Only, as a best practice. You don't need a higher permission for this purpose.

    3. To retrieve both the Key ID and the Secret Key values for the API key, on the API Keys tab, display both values by clicking Show.

    4. Copy both and paste them into the empty haloEvents.auth file, as just one line, with the key ID and the secret separated by a vertical bar ("|"):

      <your_key_id>|<your_secret_key>

      Note: If you want to stream events from multiple Halo accounts, add one additional line to this file for each account, containing the account's key ID and secret key, formatted as shown.

  4. Configure your syslog daemon to forward the logs retrieved to the USM Anywhere Sensor, using one of thefollowing methods.

    Linux/Mac OSX users

    Check for the appropriated syslog configuration file, and add and save your USM Anywhere Sensor IP address to it:

    ls –d /etc/*syslog*

    MS Windows users

    Edit the remote_syslog.py file and replace ... host='localhost' ... in the file with ... host='<usm-anywhere-ip/hostname>'....

  5. Launch the script using the following flags:

    haloEvents.py --cefsyslog --port=514

    Where:

    • --cefsyslog = Outputting the log data in the format supported by the plugin.
    • --port=514 = (Optional) Configures the UDP port to be 514, if that is not the number you currently use for UDP.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • bytes_in

  • destination_address

  • destination_fqdn

  • destination_hostname

  • destination_port

  • device_direction

  • event_action

  • event_description

  • event_name

  • event_receipt_time

  • event_severity

  • operating_system

  • policy

  • rep_device_address

  • rep_device_rule_id

  • rep_device_type

  • rep_device_vendor

  • rep_device_version

  • source_address

  • source_port

  • transient

  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://api-doc.cloudpassage.com/help