From e2ac804d3945b520adb2c494d67394f569d9794e Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Mon, 17 Jun 2024 10:30:55 +0300 Subject: [PATCH 1/5] Feature: IBM iSeries --- .../collect/integrations/endpoint/ibm_i.md | 39 +++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 40 insertions(+) create mode 100644 docs/xdr/features/collect/integrations/endpoint/ibm_i.md diff --git a/docs/xdr/features/collect/integrations/endpoint/ibm_i.md b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md new file mode 100644 index 0000000000..fa0b043042 --- /dev/null +++ b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md @@ -0,0 +1,39 @@ +uuid: fc03f783-5039-415e-915a-a4b010d9a872 +name: IBM iSeries +type: intake + +## Overview + +IBM iSeries (AS/400) is a robust, scalable family of midrange business computers running the IBM i operating system, known for its integrated DB2 database and strong security features. + +{!_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md!} + +## Configure + +In this guide, you will configure the gateway to forward events to syslog. + +### Prerequisites + +1. An internal syslog concentrator is required to collect and forward events to Sekoia.io. +2. Syslog Reporting Manager installed on the iSeries. See [docs](https://www.ibm.com/support/pages/ibm-i-security) for more info. + +### Forward IBM iSeries events + +1. Ensure having `Syslog Reporting Manager` installed and configured +2. On the SLMON menu, type `CFGSRM` +3. On the Configure global settings, select Option `2` +4. Type the address and the port of the log concentrator +5. Select `RFC5424` as `Syslog format` +6. Select `CEF` as `SIEM message format` +7. Select the protocol for the log concentrator +8. At the bottom of the screen, press `Enter` to save the changes + +## Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format IBM iSeries. + +## Send logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. diff --git a/mkdocs.yml b/mkdocs.yml index 4f3d945adf..e1eee70e2c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -195,6 +195,7 @@ nav: - ESET Protect: xdr/features/collect/integrations/endpoint/eset_protect.md - HarfangLab: xdr/features/collect/integrations/endpoint/harfanglab.md - IBM AIX: xdr/features/collect/integrations/endpoint/ibm_aix.md + - IBM iSeries: xdr/features/collect/integrations/endpoint/ibm_i.md - Linux: xdr/features/collect/integrations/endpoint/linux.md - Microsoft Intune: xdr/features/collect/integrations/endpoint/microsoft_intune.md - Panda Security Aether: xdr/features/collect/integrations/endpoint/panda_security_aether.md From b1acda0a4e1b4e6a7ed39081d3e3f950b4664f3f Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 19 Jun 2024 10:44:18 +0200 Subject: [PATCH 2/5] fix(IBM): add recommended protocol --- docs/xdr/features/collect/integrations/endpoint/ibm_i.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/xdr/features/collect/integrations/endpoint/ibm_i.md b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md index fa0b043042..16249f6611 100644 --- a/docs/xdr/features/collect/integrations/endpoint/ibm_i.md +++ b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md @@ -27,7 +27,7 @@ In this guide, you will configure the gateway to forward events to syslog. 4. Type the address and the port of the log concentrator 5. Select `RFC5424` as `Syslog format` 6. Select `CEF` as `SIEM message format` -7. Select the protocol for the log concentrator +7. Select the protocol for the log concentrator (`TCP` is recommended) 8. At the bottom of the screen, press `Enter` to save the changes ## Create the intake From 7a2d74de1df6d28c8c5a55c92fd75848bd5aab64 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 19 Jun 2024 10:55:41 +0200 Subject: [PATCH 3/5] fix(IBM): add beta mention --- docs/xdr/features/collect/integrations/endpoint/ibm_i.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/xdr/features/collect/integrations/endpoint/ibm_i.md b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md index 16249f6611..e73ffcdd3b 100644 --- a/docs/xdr/features/collect/integrations/endpoint/ibm_i.md +++ b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md @@ -6,6 +6,9 @@ type: intake IBM iSeries (AS/400) is a robust, scalable family of midrange business computers running the IBM i operating system, known for its integrated DB2 database and strong security features. +!!! warning + Important note - This format is currently in beta. We highly value your feedback to improve its performance. + {!_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md!} From a84f78818ebf97a7647cbbf8f2bb2bc15c01744f Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 19 Jun 2024 11:01:52 +0200 Subject: [PATCH 4/5] fix(IBM): add supported versions and supported events --- .../collect/integrations/endpoint/ibm_i.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/xdr/features/collect/integrations/endpoint/ibm_i.md b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md index e73ffcdd3b..907ff75d39 100644 --- a/docs/xdr/features/collect/integrations/endpoint/ibm_i.md +++ b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md @@ -9,6 +9,24 @@ IBM iSeries (AS/400) is a robust, scalable family of midrange business computers !!! warning Important note - This format is currently in beta. We highly value your feedback to improve its performance. +## Supported versions + +This integration supports the following versions: + +- 7.3 +- 7.4 +- 7.5 + +## Supported events + +This integration supports the following events: + +- Audit journal +- Integrated file system monitoring +- Message queues monitoring +- Database monitoring +- History logs + {!_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md!} From a1a03d7142e2de6eff95b13af371cfcc1042c374 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 19 Jun 2024 11:07:44 +0200 Subject: [PATCH 5/5] fix(IBM): add section to explain how to enable audit logs --- .../features/collect/integrations/endpoint/ibm_i.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/xdr/features/collect/integrations/endpoint/ibm_i.md b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md index 907ff75d39..8b02e80eb9 100644 --- a/docs/xdr/features/collect/integrations/endpoint/ibm_i.md +++ b/docs/xdr/features/collect/integrations/endpoint/ibm_i.md @@ -21,7 +21,7 @@ This integration supports the following versions: This integration supports the following events: -- Audit journal +- Audit journal (Command entry, Authority failure) - Integrated file system monitoring - Message queues monitoring - Database monitoring @@ -51,6 +51,15 @@ In this guide, you will configure the gateway to forward events to syslog. 7. Select the protocol for the log concentrator (`TCP` is recommended) 8. At the bottom of the screen, press `Enter` to save the changes +### Enable Audit logs (optional) + +1. On the SLMON menu, type `CFGSRM` +2. On the Configure global settings, select Option `10` +3. Enable the following type: + - AF: Authority failures + - CD: Command string audit +4. Press `F3` to save the changes + ## Create the intake Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format IBM iSeries.