BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • Linux
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Akamai WAF
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Asset Reconciliation
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  1. Customer Self Service Portal

Frequently Asked Questions (FAQ)

PreviousLinux rpm Package InstallationNextDefault Log Collection

Last updated 4 months ago

1. Is log data stored on my local network?

  • Log data is stored with the M-SOC provider. Regulator requires that M-SOC provides 6months online and 18 months offline. That is a total of 24 months worth of data storage. M-SOC is responsible and accountable for storing this data and provisioning it on demand to the exchange and/or auditors. REs may also access this data easily using thier own logins created using the .

2. Will I have access to the logs OR only M-SOC has access?

  • Yes, REs will have direct read-only access to the logs themselves. Infact, REs will have access to everything that an M-SOC analyst has access to including Logs, Dashboards, Tickets, Alerts, Incidents and reports.

3. How will you collect data from my environment?

  • We only collect logs from your environment. These could be operating system logs, application logs, webserver logs, firewall logs, etc. The types of logs we collect depend on your organization's infrastructure and the security measures in place.

4. I want to only include some of my critical machines only. Is that possible?

  • Yes, we can tailor the deployment to focus on critical machines based on your requirements. According to SEBI guidelines, this must be done in consultation with your SPOC or someone familiar with your infrastructure. If your critical machines are not on a separate zone or VLAN with strict access controls, it's generally not advisable to just include critical machines. all systems have to be included.

5. What is EDR and why is it needed?

  • EDR (Endpoint Detection and Response) is similar to an antivirus system. It helps detect and respond to potential threats at the endpoint level, enhancing security on devices like computers and servers. Most Windows operating systems come with Windows Defender by default. In large complex infrastructures dedicated EDR tools that operate across windows and linux systems may be needed.

6. What is the onboarding process? and how long does it take?

  • Step 1: with all the required details.

  • Step 2: Upon login, you will be directed to a with links to download the required lightweight agents that will forward the logs.

  • Step 3: Follow the standard provided on the portal page.

The entire onboarding process takes less than 10 minutes to complete. Installing log forwarding agents could take upto 5 minutes with required administrator privileges needed for install.

7. Can you send me the onboarding process and company details?

  • The onboarding process includes:

  • on the portal.

  • Downloading the .

  • Installing the agents as per the provided instructions.

8. In the case of an attack at BluSapphire, what will happen to my environment?

  • BluSapphire ensures robust security measures to protect both our platform and your environment. We are an ISO27001 company and our data center is SOC2 type2 certified. Additionally, there is no inbound connectivity to your environment from BluSapphire, ensuring your environment remains safe at all times. In the unlikely event of an attack, our multi-layered security architecture minimizes risks to your data and operations.

9. What data/logs will be pushed from BluSapphire to my environment? Is it safe?

10. What kind of reports can I expect from BluSapphire?

  • BluSapphire provides standard Monthly and Quarterly reports, which include high-level overviews of security posture, threat intelligence, and incident analysis.

11. What support can I expect if I struggle to download or deploy the solution?

  • Our support team (support@blusapphire.com) provides end-to-end assistance during the download and deployment process. We offer 24x7 product services to help resolve any challenges.

12. What components will BluSapphire deploy for me? How can I opt for SOAR capabilities?

  • For smaller infrastructures, we only install the log forwarding agents. BluSapphire will deploy a log-collector to in case of complex/mature infrastructure.

  1. Is EDR (Endpoint Detection and Response) mandatory for the endpoints?

  • EDR is not mandatory, but highly recommended for proactive cybersecurity.

  1. Is Remediation part of the stakeholder responsibilities, or do they fall under BluSapphire?

  • Remediation is the responsibility of the stakeholders. There will be a detailed RACI chart that will describe these responsibilities in greated detail. However, Remediation asisstance is available at an additional fee.

  1. The Announcement says this is the Pilot and the actual go-live will be the 1st of April, will we be charged from now or from April

  • The billing starts immediately. Invoicing and payment are upfront.

  1. There is a mention of Pilot in the announcement

  • Pilot is more to fine tune the engagement process between the MSOC and the exchange. For REs the compliance is due.

  1. SEBI circular says the effective date is 1st April; we will get back to you in March

  • Compliance to CSCRF is mandatory. April 1st is to finalize the notification requirements between SEBI, Exchange and MSOC. The On-Boarding should start as early as possible as we have a priority Onboarding Queue, and the system and processes will need a few weeks to stabilize on your environment.

  1. If we have a VM and have multiple apps on it will it be counted as one device or multiple devices

  • Our Response – VM will count as one endpoint along with its operating system logs. Each cover compliance app is counted as one endpoint.

    • Eg 1: if you have an email-server on a VM, the VM will be counted as one endpoint and email-server shall be counted as another endpoint.

    • Eg 2: consider an environment with the below infrastructure:

      • 20 laptops

      • 5 servers

      • Two web applications (hosted on two of the 5 servers listed above)

      • Two AWS instances

      In this case, the total number of endpoints counted are:

      • 20 laptops + 5 servers + 2 web applications + 2 AWS instances = 29 endpoints.

  1. What is the log retention policy?

  • All logs are retained for 6 months online and 18 months offline as per SEBI requirements. RE are not required to pay anything additional. The fee covers everything.

  1. Will I have unlimited access to my logs?

  • Yes, RE themselves will also have unlimited access to their logs. REs will also have access to all the published Dashboards always. However, RE will only have access to thier own data. The Dashboards will also only reflect thier own data only.

  1. Who will be monitoring my logs for security alerts and incidents "Exchange" or "M-SOC"?

  1. Who else will be aware of cyber security incidents on my environment?

  • M-SOC will notify the RE of the security incident. Critical incidents are notified to CERT-IN as per SEBI requirements.

  1. What is EPS? I hear other vendors offering based on EPS?

  • EPS stands for Events Per Second. This is very dynamic and confusing for REs with little infrastructure. If you are an RE with less than 100 endpoints, then you are usually better served using per endpoint pricing model. REs with large scale complex infrastructure clearly understand EPS and may opt for it instead. Please reach out to msoc@blusapphire.com for pricing.

  1. Will M-SOC provide VAPT and audit services also?

  • Yes, M-SOC will provide VAPT and audit services at an additional pricing. Please refer to the document section of the portal and you will see a laundry list of all additonal services offered by M-SOC.

25. Do I have to declare assets in my infrastructure? Why is this needed?

  • Yes, There is an "AssetInventory.xls" template file under documents in your onboarding portal. Please fill out the details of your assets that you are onboarding in the same format. List provided in any other format shall not be accepted.

  • M-SOC will monitor these assets and notify non-availability of an asset OR if M-SOC stops receiving logs from an asset.

  • Yes, REs can upload multiple versions of the asset list with updated assets any time they wish.

For a list of the logs we collect, please refer to the "" section. All data in-transit and at-rest are encrypted and comply with industry standards to ensure your safety.

If you are interested in SOAR (Security Orchestration, Automation, and Response) capabilities, please contact our sales team at to discuss customized options and pricing.

M-SOC will be responsible for monitoring RE logs for security alerts and incidents. Once an incident has been identified, M-SOC and RE have to follow the and perform thier requisite duties to close the incident.

self-service portal
Register on the portal
landing page
installation instructions
Registering
necessary agents
Logs Collected
sales@blusapphire.com
incident management workflow