Radware Cloud Services
This pack includes Cortex XSIAM content.
It supports the following Radware Cloud Services event types:
- Radware Cloud WAAP Service Access Logs.
- Access logs provide detailed data regarding client access to applications protected by Cloud WAAP.
- Radware AppWall Cloud WAF Security Event Logs.
- A security event is generated whenever Cloud WAF detects an attack, when an ongoing attack
is still active, or when an ongoing attack status has changed. The generated security event
includes the information relevant to the specific attack or security breach.
- A security event is generated whenever Cloud WAF detects an attack, when an ongoing attack
See the documentation below for the configuration required for each event type to collect into Cortex XSIAM.
Collect Radware Cloud WAAP Service Access Logs
AWS - S3 bucket
On AWS
Sign in to your AWS account and create a dedicated Amazon S3 bucket, which collects the generic logs that you want to capture.
See this doc for further instructions on how to create a S3 bucket.
On Radware Cloud Services
- Contact the Radware Support team in order to enable Access logs.
- Navigate to Account Settings and fill the below attributes:
- Bucket Name
- Region
- Access Key
- Secret Key
- Prefix (optional)
- Click the Advanced tab and enable Access log.
- Select the application to which to export all Access logs.
For additional information, refer to the official Radware documentation.
On XSIAM:
- Navigate to Settings -> Data Sources -> Add Data Source.
- Click Amazon S3.
- Click Connect or Connect Another Instance.
- Set the following values:
- SQS URL - Refer to Configure an Amazon Simple Queue Service (SQS) here.
- Name as
Radware Access Log - AWS Client ID
- AWS Client Secret
- Log Type as
Generic - Log Format as
JSON - Vendor as
radware - Product as
access_logs - Compression as
gzip
For additional information, see this doc.
Collect Radware AppWall Cloud WAF Security Events
In order to collect AppWall Cloud WAF Security events, you need to deploy a log-collection solution such as Logstash that can interact with Amazon SQS, retrieve your queued event messages from Radware Cloud and forward them via Syslog to Cortex XSIAM.
Radware recommends using Logstash as the log-collection solution, however, any other third-party log-collection solution can be used as long as it has an interface with Amazon SQS and supports syslog forwarding.
The following steps demonstrate the configuration steps with Logstash used as the log-collection solution, under the assumption that Logstash has already been installed and deployed on your environment.
Obtain Amazon SQS Credentials
On Radware Cloud WAF Portal
- Connect to your Radware account on the Radware Cloud WAF Portal.
- Navigate to Account → Account Settings.
- Click Download SIEM Configuration to download a configuration file which includes the details of the SQS event queues and your credentials for accessing them. This file has the name convention of siemConfigFetchConfig_<ID\>.txt. Use this file in the next section when configuring Logstash (or any other log-collection solution you want to use).
Configure Logstash
The downloaded SIEM configuration file that was downloaded from Radware portal (see the previous section) already contains a predefined SQS input plugin for retrieving events from Amazon SQS.
You need to update this file to include a syslog output plugin that would forward the retrieved event messages to your Cortex XSIAM Broker VM via syslog.
Open the siemConfigFetchConfig_<ID\>.txt SIEM configuration file that was downloaded from the Radware portal in the previous section.
Define a Syslog output plugin entry with the following properties:
Property Value hostEnter The IP address of the Cortex XSIAM Broker VM syslog server. portEnter the syslog service port number that Cortex XSIAM Broker VM should listen on for receiving Radware AppWall security events that would be forwarded from Logstash. rfcEnter rfc5424 appnameEnter a meaningful application name for the syslog message. For e.g., RadwareAppWall. The following example demonstrates a sample configuration with a syslog output plugin (values surrounded by angle brackets represent placeholders for dynamic values):
input {
sqs {
queue => "<WAF-Queue-ID-APPWALL_ATTACK>"
access_key_id => "<The_WAF_Queue_Access_Key_ID>"
region => "<queue-region>"
secret_access_key => "<The_WAF_Queue_Secret_Access_Key>"
}
}
output {
syslog {
host => "<THE_BROKER_VM_IP>"
port => 514
rfc => "rfc5424"
appname => "RadwareAppWall"
}
}- Save the updated configuration file in the Logstash bin folder, and start Logstash.
Configure Cortex XSIAM Broker VM Syslog Server
You will need to use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings → Configuration → Data Broker → Broker VMs.
- Go to the Apps column under the Brokers tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.
- Click Add New.
- When configuring the Syslog Collector, set the following parameters:
Parameter Value ProtocolSelect UDP for the default forwarding. PortEnter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving Radware AppWall Cloud WAF security events that are forwarded from Logstash. VendorEnter Radware. ProductEnter AppWall.
