Seculert Protection REST API protocol configuration options

To receive events from Seculert, configure a log source to use the Seculert Protection REST API protocol.

The Seculert Protection REST API protocol is an active outbound protocol that provides alerts about confirmed incidents of malware that are actively communicating or exfiltrating information.

Important: Before you can configure a log source for Seculert, you must use the following steps to obtain your API key from the Seculert web portal.
  1. Log in to the Seculert web portal.
  2. On the dashboard, click the API tab.
  3. Copy the value for Your API Key.
The following table describes the protocol-specific parameters for the Seculert Protection REST API protocol:
Table 1. Seculert Protection REST API protocol parameters
Parameter Description
Log Source Type Seculert
Protocol Configuration Seculert Protection REST API
Log Source Identifier

Type the IP address or hostname for the log source as an identifier for events from Seculert.

Each additional log source that you create when you have multiple installations ideally includes a unique identifier, such as an IP address or hostname.

API Key

The API key that is used for authenticating with the Seculert Protection REST API. The API key is obtained from the Seculert web portal.

Use Proxy If the API is accessed by using a proxy, select this checkbox.

Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

Recurrence Specify how often the log collects data. The value can be in Minutes (M), Hours (H), or Days (D). The default is 10 minutes.
EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The default is 5000.

Enable Advanced Options

Select this checkbox to enable the following configuration options: Server, API Version, Query Time Interval, Allow Untrusted Certificates, Override Workflow, Workflow, and Workflow Parameters.

These parameters are only visible if you select this checkbox.

Server

The server that is used for forming the API query.

For example, [Server]/1.1/incidents/records.

The default value is https://api.seculert.com]../.

API Version

The API version that is used for forming the API query.

For example, https://api.seculert.com/[API Version]/incidents/records.

The default value is 1.1.

Query Time Interval The maximum time interval for each query to collect events.

For example, if you set the interval as 15 minutes, the query collects events from the last query time to 15 minutes later. If the current time is less than 15 minutes since the last query, the query collects events from the last query time until the current time.

The value must be in milliseconds (ms); 1000 ms is 1 second. The default value is 900000 ms (15 minutes).

Allow Untrusted If you enable this parameter, the protocol can accept self-signed and otherwise untrusted certificates that are located within the /opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter, the scanner trusts only certificates that are signed by a trusted signer.

The certificates must be in PEM or RED-encoded binary format and saved as a .crt or .cert file.

If you modify the workflow to include a hardcoded value for the Allow Untrusted Certificates parameter, the workflow overrides your selection in the UI. If you do not include this parameter in your workflow, then your selection in the UI is used.

Override Work Flow Enable this option to customize the workflow. When you enable this option, the Workflow and Workflow Parameters parameters appear.
Work Flow

The XML document that defines how the protocol instance collects events from the target API.

For more information about the default workflow, see Seculert Protection REST API protocol workflow.

Workflow Parameters

The XML document that contains the parameter values used directly by the workflow.

For more information about the default workflow parameters, see Seculert Protection REST API protocol workflow.

Enabled By default, the checkbox is selected to enable the log source to communicate with QRadar.
Credibility

Select the Credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector Select the Target Event Collector to use as the target for the log source.
Coalescing Events

Select this checkbox to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Store Event Payload

Select this checkbox to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.