Flowmon ADS and Integration with Security Event Management

This blog post explains how to nicely enhance logs received from Flowmon ADS in virtually any SEM/SIEM.

How to Enhance logs in SEM/SIEM with URL pointing back to Flowmon ADS

This blog post explains how to nicely enhance logs received from Flowmon ADS in virtually any SEM/SIEM. There is no dispute that Flowmon logs contain useful information for IT operations and company security staff. Information provided by Flowmon is available, with other security systems, in a single pane, enabling you to see what is going on in your network, as well as enabling you to swiftly search through information, which can also be archived.  In short, the single pane of view is one of the top benefits that a centralised SEM can bring. But with a single event, for an  in-depth understanding and further investigation sometimes it is necessary to  look back into the user interface of a given source device of the event in question.

Flowmon ADS is a perfect example as how the integration with SEM/SIEM should work. The logs created are populated with all the necessary fields in a structured form, resulting in a simple parsing process. The Flowmon web interface allows creating a direct link to an event. What else can any vendor of a SEM ask for?

How to enhance logs in SEM/SIEM for Flowmon ADS with each log directly linked to Flowmon UI

Each log from Flowmon ADS contains a unique EventID. It directly refers to Flowmon ADS UI. (EventID is highlighted)

Raw log sample received by SEM/SIEM:

<182>Jul 11 12:05:28 flowmon ADS: CEF:0|Flowmon Networks|Flowmon ADS Business|9.05.06|L3ANOMALY|L3 network anomaly|4|c6a1=2001:1aea:110:110::2ad1:15a6 c6a1Label=sourceAddress smac=b4:b6:86:8e:38:cc start=Jul 11 2019 12:01:03 deviceCustomString1=flowmon.domain.org deviceCustomString1Label=ADSHostName cn1=5675862 cn1Label=EventID msg={Type:'SPOOF',TransferredData:'6.9 KiB',PacketCount:'58'} targetList: 2a00:1450:401b:805::2001, 2a00:1450:401b:806::2004

Direct url in Flowmon ADS user interface for the given event:

https://flowmon.domain.org/adsplug/events/?_adsLink=tab*Tab.Events.SimpleList|eventDetail[0]*5675862

A good SEM/SIEM should have tools to enhance the logs/events with additional metadata, which are not present in the logs directly. A sample of such metadata and transformations might look like this:

  • Geolocation - to enhance each IP with details about the country/city/whois/AS#
  • Reputation Database  - to mark an IP address/DNS with a broken reputation
  • Username lookup - to enhance the log with the true username hidden behind a given IP when an event has happened
  • Transformation/normalisation - all various MAC address formats to a single normalized one
  • MAC vendor lookup - who is the vendor of a given MAC address
  • Unification of timestamp formats - digesting different timestamps from a variety of source devices
In LOGmanager, we have a visual programming tool where with logs we can do virtually every possible transformation. The task is to have within each log a new field, carrying a direct URL pointing back to Flowmon ADS user interface. In LOGmanager, we have a unified msg.eventid field containing a unique EventID # from each log. And we know the URL matrix. So, let us do an integration in 5 minutes. 

Go to Alert and create a new alert, which does not have to alert, but update the metadata of the given event.

Capture1.JPG
Construct of the alert:
  1. check if the source log really comes from Flowmon ADS
  2. create a new variable where you will put your Flowmon appliance DNS name or IP address
  3. create a new field msg.event_url where you will put together the text, variable, and text and msg.eventid together
  4. retype the field msg.event_url into the URL data type, so LOGmanager recognises the content of this field as a URL pointing externally

There is also a test window below each alert in LOGmanager, so you can see the progress while constructing the alert. Just put a sample log from Flowmon ADS into a test window and you should be able to see the transformation and how the new field msg.event_url is being created.
Capture2.JPG
Once you are done and the test window output shows that the alert with the transformation works fine, check for newly arrived logs in the dashboard  whether they contain the msg.event_url field, as in  the screenshot below.

Capture3.JPGWell, this was a sample use case for LOGmanager.  Other SEMs/SIEMs can have a slightly different approach, but the outcome might be the same. I hope you had as much fun as I did. 

Author: Miroslav Knapovsky; CISSP,CEH, CEO & Security Solution Architect at LOGmanager