SCADAfence

SCADAfence extends visibility into IT and OT networks. You can configure SCADAfence to create and forward alerts to InsightIDR via syslog to generate third party alerts.

SCADAfence Third Party Alerts

Third Party Alerts will only be generated when the log line has the status of “CREATED”. Otherwise, SCADAfence logs can be found in Log Search in the Unparsed Data Log set (if enabled). To check which events will create an investigation and which will only be tracked as notable behavior, navigate to Detection Rules -> Detection Rule Library and filter by the threat 'SCADAFence'.

To set up SCADAfence, you’ll need to:

  1. Review “Before you Begin” and note any requirements.
  2. Configure SCADAfence to send data to your Collector.
  3. Set up the SCADAfence event source in InsightIDR.
  4. Verify the configuration works.

Before you begin

Before you continue, ensure you have the following:

  • Access to the SCADAfence Platform
  • An intermediary server with a Rapid7 Collector installed

The intermediary server will pass alert data between InsightIDR and the SCADAfence Platform. This server can be any Linux machine with connectivity to both systems.

You must install a Rapid7 Collector on the intermediary server to send the syslog data to InsightIDR. Follow the Linux installation instructions on Collector Installation and Deployment to set up the Collector on your server.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for SCADAfence in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the SCADAfence event source tile.
  4. Choose the collector you set up in the Before your Begin step.
  5. Name your event source.
  6. (Optional) Check the box for unparsed data if you also want to see all other events sent via Syslog in Log Search.
  7. Set the Event Source port.
  8. Set the transport protocol.
  9. Click Save.

Configure SCADAfence to send data to your Collector

In the SCADAfence Platform, you will need to adjust settings for Syslog Configuration.

  1. Go to Settings -> Syslog Configuration.
  2. Enter the IP of the Collector server.
  3. Enter the same port you selected during the Set up SCADAfence in InsightIDR step above.
  4. Select the transport protocol
  5. Select the minimum severity (e.g. Warning).
  6. Set the record type to "Long".
  7. Set the Delimiter Character to "Rapid7 IDR".
  8. Verify that the enabled button is set to "Yes".
  9. Save the configuration.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector:

  1. Click Data Collection in the left menu of InsightIDR and navigate to the Event Sources tab. Find the new event source that was just created and click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu of InsightIDR.
  3. Select the applicable Log Sets and the Log Names within them. The Log Name will be the name you gave to your event source. SCADAfence logs flow into the Third Party Alerts log set when the log entry has the status of “CREATED”. Otherwise, SCADAfence logs can be found in the Unparsed Data log set (if enabled).

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Logs

Raw Log:

<11>CEF:0|SCADAfence|SCADAfence Platform|6.5.1.15|1200|Network Scanner was detected|8|alert_ip=192.168.1.51 site=N/A alert_seq=81 status=CREATED createdOn=2021-09-13 20:40:20 updatedOn=2021-09-13 20:41:16 details=Asset 192.168.1.51 was identified as a network scanner, sending requests to too many assets/ports explanation=This asset has been identified as doing scanning activity. It can either be a legitimate scanner (monitoring or management platform), or it can be an infected asset that scans the network with a potentially malicious intent. remediation=Please check the asset. If it is a valid scanner or management system, you can resolve the alert using the don't-show-it-again check box so it will not appear again. If this is not a valid activity, you should start a remediation process for this host, and assume that the network is compromised. If this is a one-time scan by a person, you can resolve the alert and let the alert re-trigger in case there is another scanning activity. url=https://192.168.1.234/alerts/81

1
{
2
"timestamp":"2021-09-13T20:40:20.000Z",
3
"product":"SCADAfence",
4
"type":"Network Scanner Was Detected",
5
"severity":"High",
6
"title":"Asset 192.168.1.51 was identified as a network scanner, sending requests to too many assets/ports",
7
"description":"This asset has been identified as doing scanning activity. It can either be a legitimate scanner (monitoring or management platform), or it can be an infected asset that scans the network with a potentially malicious intent.",
8
"source_data":"{\"header\":{\"deviceVendor\":\"SCADAfence\",\"deviceVersion\":\"6.5.1.15\",\"name\":\"Network Scanner was detected\",\"severity\":\"8\",\"signatureId\":\"1200\",\"version\":\"0\"},\"extension\":{\"alert_ip\":\"192.168.1.51\",\"alert_seq\":\"81\",\"createdOn\":\"2021-09-13 20:40:20\",\"details\":\"Asset 192.168.1.51 was identified as a network scanner, sending requests to too many assets/ports\",\"explanation\":\"This asset has been identified as doing scanning activity. It can either be a legitimate scanner (monitoring or management platform), or it can be an infected asset that scans the network with a potentially malicious intent. \",\"remediation\":\"Please check the asset. If it is a valid scanner or management system, you can resolve the alert using the don't-show-it-again check box so it will not appear again. If this is not a valid activity, you should start a remediation process for this host, and assume that the network is compromised. If this is a one-time scan by a person, you can resolve the alert and let the alert re-trigger in case there is another scanning activity. \",\"site\":\"N/A\",\"status\":\"CREATED\",\"updatedOn\":\"2021-09-13 20:41:16\",\"url\":\"https://192.168.1.234/alerts/81\\u0000\"},\"prefix\":\"<11>\"}"
9
}