BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Cisco pxGrid
  • Blusapphire integration with Cisco pxGrid
  • Configuration
  • Registration using username and password.
  • Create ANC Policy
  • Scenarios
  • Contextual Information
  • Quarantine / Response Action
  • Troubleshooting
  • 1. Contextual Information/ Host Information does not display anything.
  • 2. Quarantine does not work.
  1. 07_Integration

Cisco pxGrid Integration

Rapid Response Capabilities using Cisco pxGrid

Previous07_IntegrationNextThreat Intel Sources

Last updated 7 months ago

Cisco pxGrid

With Cisco pxGrid (Platform Exchange Grid), your multiple security products can now share data and work together. This open, scalable, and IETF standards-driven platform helps you automate security to get answers and contain threats faster.

Please Note:

  1. The integration is for pxGrid 2.0 and compatible with Cisco ISE 2.4 and above.

  2. The below configuration works without certs for now. Support for Certs will be added soon.

Blusapphire integration with Cisco pxGrid

1. Provide contextual information in BluSapphire UI, using session information provided by Cisco ISE.

2. Provide quarantine action on an end-point using the ANC policy.

Configuration

Registration using username and password.

1. Open Blusapphire UI, From Settings →Integrations open Cisco pxGrid registration page.

2. Enter the client hostname in Client Node, Enter pxGrid Nodes in the pxGrid Nodes text area and click on submit button to save the Client Name and pxGrid Nodes.

3. HA failover can be done by entering two pxGrid Nodes. BluSapphire connects with both the nodes simultaneously. Initially, the first node/primary node is considered the active node. If the primary node goes offline, the secondary node is marked as the active node. If the primary node comes back online then it will be automatically marked as the active node. Data will be processed from the current active node only to avoid deduplication.

4. Click on Register button to Initiate client registration using username/password in Cisco ISE.

5. Click on the Registration status button to view the status of registration.

7. For approving client on Cisco ISE, Login as Administrator and Open the Cisco ISE --> pxGrid page to approve the pending registration.

9. Now, select the client and click on approve.

Create ANC Policy

To create ANC Policy, Login to Cisco ISE as an administrative user and do the following activities

Scenarios

Contextual Information

BluSapphire takes contextual information feed from Cisco ISE and uses that to show any device/host’s contextual information. You can see them as shown below:

4. Now Click on Triage (Tr) link at the top right corner beside the previous and next entries.

5. The triage page opens in a new tab, as shown below. Double click on the right panel entry, to fetch the host details from session details captured from Cisco pxGrid.

6. Host details are shown in the below panels

Quarantine / Response Action

4. Now Click on Triage (Tr) link at the top right corner beside the previous and next entries.

6. Host information is shown as in below panel.

Troubleshooting

1. Contextual Information/ Host Information does not display anything.

Solution:

Check that the Registration Status shows "Enabled".

If the registration status shows "Pending" or "Disabled". Login to Cisco ISE console go to Cisco ISE -> pxGrid -> Web Clients and verify the client status is shown ON.

2. Quarantine does not work.

6. If the registration status is shown as Pending, seek approval from Cisco ISE Administrator. If the registration status is shown as Enabled then the registration process has completed successfully.

8. Look for the client registration detail in Cisco ISE -> pxGrid with the status show as pending.

10. Once approved, go to Cisco ISE -> pxGrid -> Web Clients and verify the client status is shown ON.

11. Go back to Blusapphire UI and check the Registration Status. The status would show Enabled if registration was successful.

a. Open Operations -> Adaptive Network Control -> Policy List.

b. Click on Add, to create a new Policy with required actions.

c. After click on Add, it will display the following form.

d. enter a Unique policy Name and Select an QUARANTINE action from given list.

e. After Selecting the action, click on submit to save changes.

f. If the submit is successful, the new Policy is shown in the Policy List.

1. Open BluSapphire WebUI and go to Network Behavior -> Intrusions page

2. Get view the intrusion in detail, double click on the intrusion

3. This will open the intrusion alert details as shown below.

1. Open BluSapphire WebUI and go to Network Behavior -> Intrusions page

2. Get view the intrusion in detail, double click on the intrusion

3. This will open the intrusion alert details as shown below.

5. The triage page opens in a new tab, as shown below. Double click on the right panel entry, to fetch the host details from session details captured from Cisco pxGrid.

7. To Quarantine the selected host, click on the red lock at top right on Host Information.

8. Now, to verify – you may go to Cisco ISE -> Operations -> Adaptive Network Control -> Endpoint Assignments. You can find the MAC address of the Quarantined system.

Please check if you completed all the Registration Steps shown in the above.

Solution: Please follow the troubleshooting steps . Additionally check if an ANC policy has been defined as described in "" section above.

Registration section
described above
Create ANC Policy