Documentation Center
AlienVault® USM Anywhere™

CoSoSys Endpoint Protector

When you configure CoSoSys Endpoint Protector to send log data to USM Anywhere, you can use the Endpoint Protector plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor CoSoSys
Device Type Data Loss Prevention
Connection Type Syslog

Integrating CoSoSys Endpoint Protector

Before you configure the CoSoSys Endpoint Protector integration, you must have the IP Address of the USM Anywhere Sensor.

To configure CoSoSys Endpoint Protector to send log data to the USM Anywhere Sensor

  1. Using the CoSoSys Endpoint Protector Reporting and Administration Tool, select the Appliance > SIEM Integration option.

  2. From the SIEM Integration display, select the Add New option to add a new SIEM Server.

  3. In the Server settings section, specify the following parameters:

    • Server Name.
    • Server Description.
    • Server IP: Specify the IP address of the USM Anywhere Sensor.
    • Server Port: The default TCP ports used by rsyslog are 513 and 514.
    • Disable MySQL Logging check box: Select this check box to disable MySQL logging.
  4. In the Log Types section, select the events you want to send to the USM Anywhere Sensor.

  5. When you have finished your entries, click Save to save your changes.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_type
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_5
  • customfield_6
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • customheader_4
  • customheader_5
  • customheader_6
  • event_name
  • file_kb_size
  • file_old_path
  • file_path
  • file_type
  • policy
  • rep_device_model
  • rep_device_type
  • source_address
  • source_hostname
  • source_mac
  • source_username

Additional Resources and Troubleshooting

https://www.endpointprotector.com/support/pdf/manual/Endpoint_Protector_4_User_Manual_EN.pdf

For troubleshooting, refer to the vendor documentation:

https://www.endpointprotector.com/support/endpoint-protector