BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • Linux
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Akamai WAF
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Asset Reconciliation
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  1. 12_Deployment / Log Forwarding
  2. Log Forwarding (on-prem) - How To

Zoho Vault Integration

Log Integration procedure:

Introduction

This document describes a Python script designed to fetch audit logs from Zoho Vault and send them to Logstash for further processing. Prerequisites

• Client credentials for Zoho Vault API access:

o Client ID

o Client Secret

o Refresh Token

• Zoho Vault API URL for audit logs

• Permissions:

o AuditLogRead.All

o DeviceManagementManagedDevices.Read.All

o DeviceManagementManagedDevices.PrivilgedOperations.All

Configuration

• Access Token Retrieval Script

This script retrieves a fresh access token using the refresh token and stores it in a configuration file. Replace placeholders with your credentials and desired file paths.

Code Snippet (Access Token Retrieval Script)

Python

import requests

import time

def get_new_access_token(refresh_token, client_id, client_secret, redirect_uri, grant_type='refresh_token'):

payload = {

'refresh_token': refresh_token,

'client_id': client_id,

'client_secret': client_secret,

'redirect_uri': redirect_uri,

'grant_type': grant_type

}

headers = {

'Content-Type': 'application/x-www-form-urlencoded'

}

response = requests.post(token_url, data=payload, headers=headers)

if response.status_code == 200:

return response.json()

else:

response.raise_for_status()

Configuration (Replace placeholders with your details)

grant_type='refresh_token'

refresh_token = ''

client_id = ''

client_secret = ''

access_token_file_path = '/opt/lc/conf/zoho/vault_access_token.conf' # Specify the path to store the access token

token_response = get_new_access_token(refresh_token, client_id, client_secret, redirect_uri) access_token = token_response['access_token']

with open(access_token_file_path, 'w') as file:

file.write(f'access_token={access_token}\n')

print('New access token stored in:', access_token_file_path)

print('Token response:', token_response)

• Log Fetching and Processing Script

This script fetches logs from Zoho Vault in pages, extracts details, and sends them to Logstash. Update configurations for API URL, log file path, and Logstash details.

Code Snippet (Log Fetching and Processing Script)

Python

import requests

import os

import socket

import json

from datetime import datetime

def read_access_token(file_path):

try:

with open(file_path, 'r') as file:

for line in file:

if line.startswith('access_token='):

key, access_token = line.strip().split('=')

return access_token

except Exception as e:

print(f"An error occurred while reading the access token: {e}")

return None

def call_api_with_access_token(api_url, access_token,rows_per_page, page_number): headers = {

'Authorization': f'Bearer {access_token}'

}

params = {
    "rowsPerPage":rows_per_page,
    "page" : page_number
}

try:
    response = requests.get(api_url, headers=headers,params=params)
    response.raise_for_status()  # Raise an HTTPError for bad responses

    if response.status_code == 200:
        api_data = response.json()
        operation = api_data.get('operation', {})
        details = operation.get('Details', [])

        if details:
            data = details[0]
            start_count = details[1].get('start', 0)
            end_count = details[1].get('end', 0)
            totalrows_count = details[1].get('totalrows', 0)
            return start_count, end_count, totalrows_count,data
        else:
            return 0, 0, 0, {} # Handle case where data structure is unexpected

    else:
        print(f"Unexpected status code: {response.status_code}")
        print(response.text)  # Print response content for debugging
        return 0, 0, 0, {}

except requests.exceptions.HTTPError as err:
    print(f"HTTP error occurred: {err}")
    return 0, 0, 0, {}
except Exception as e:
    print(f"An error occurred: {e}")
    return 0, 0, 0, {}

def read_last_total_count(log_file_path):

try:

with open(log_file_path, 'r') as log_file:

lines = log_file.readlines()

for line in reversed(lines):

if line.startswith('next_start'):

total_count = int(line.split('=')[1].strip())

return total_count

return 0 # If no valid total count found, start from 0

except FileNotFoundError:

return 0 # Start from 0 if file does not exist

def store_total_count_to_file(log_file_path, totalrows_count):

updated_lines = []

count_updated = False

if os.path.exists(log_file_path):
    with open(log_file_path, 'r') as file:
        lines = file.readlines()
else:
    lines = []

for line in lines:
    if line.startswith("next_start"):
        count_updated = True
        updated_lines.append(f"next_start = {totalrows_count}\n")
    else:
        updated_lines.append(line)

if not count_updated:
    updated_lines.append(f"next_start = {totalrows_count}\n")

with open(log_file_path, 'w') as file:
    file.writelines(updated_lines)

def ensure_log_file(log_file_path):

if not os.path.exists(log_file_path):

with open(log_file_path, 'w') as file:

file.write(f"# Logcount for {datetime.now().strftime('%Y-%m-%d')}\n")

def send_to_logstash(logs):

status = -1

try:

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: sock.connect((logstash_host, logstash_port))

for log in logs:

message = json.dumps(log)

sock.sendall(message.encode('utf-8'))

sock.sendall(b'\n')

status = 0

except Exception as e:

print(f"Failed to send logs to Logstash: {e}")

return status

Configuration

access_token_file_path = '/opt/lc/conf/zoho/vault_access_token.conf' # Path to the conf file where the access token is stored

log_file_path = '/opt/apps/zoho-vault/zoho_audit_activity.conf' # Path to the single log file rows_per_page = 25

page = 1

Logstash configuration

logstash_host = 'localhost' # Change to your Logstash host if different

logstash_port = 12337 # Change to your Logstash port if different

try:

flag = True

while flag:

previous_totalrows_count = read_last_total_count(log_file_path)

if previous_totalrows_count == 0:

previous_totalrows_count = 1

start = previous_totalrows_count

access_token = read_access_token(access_token_file_path)

if access_token:

start_count, end_count, totalrows_count, details = call_api_with_access_token(api_url, access_token,rows_per_page,page)

start_count = start

end_count = end_count

totalrows_count = totalrows_count

page += 1

if totalrows_count == 0:

flag = False

else:

if totalrows_count >= start:

ensure_log_file(log_file_path)

next_start = end_count + 1

store_total_count_to_file(log_file_path, next_start)

send_log = send_to_logstash(details)

if send_log == -1:

print("unable to send logs to logstash")

flag = False

else: print('No new records added.')

flag = False

else:

print('Failed to retrieve the access token.')

print("Data retrieval and storage complete.")

except requests.exceptions.HTTPError as err:

print('HTTP error:', err)

except Exception as e:

print('An error occurred:', e)

Note: Copy the code from Meydan and SPC client.

3. Setup a Logstash pipeline to fetch the logs at input port 12337/tcp and follow further steps.

PreviousCisco Meraki FirewallNextZoho Analytics Integration

Last updated 1 month ago

token_url = ""

redirect_uri = ''

api_url = '' # Replace with the actual API URL you want to call

https://accounts.zoho.com/oauth/v2/token
http://www.zoho.com/
https://vault.zoho.com/api/rest/json/v1/audit/logs