SCADAfence

SCADAfence extends visibility into IT and OT networks. You can configure SCADAfence to create and forward alerts to InsightIDR via syslog to generate third party alerts.

SCADAfence Third Party Alerts

Third Party Alerts alerts will only be generated when the log line has the status of “CREATED”. Otherwise, SCADAfence logs can be found in Log Search in the Unparsed Data Log set.

To set up SCADAfence, you’ll need to:

  1. Review “Before you Begin” and note any requirements.
  2. Configure SCADAfence to send data to your Collector.
  3. Set up the SCADAfence event source in InsightIDR.
  4. Verify the configuration works.

Before you begin

Before you continue, ensure you have the following:

  • Access to the SCADAfence Platform
  • An intermediary server with a Rapid7 Collector installed

The intermediary server will pass alert data between InsightIDR and the SCADAfence Platform. This server can be any Linux machine with connectivity to both systems.

You must install a Rapid7 Collector on the intermediary server to send the syslog data to InsightIDR. Follow the Linux installation instructions on Collector Installation and Deployment to set up the Collector on your server.

Configure SCADAfence to send data to your Collector

In the SCADAfence Platform, you will need to adjust settings for Syslog Configuration.

  1. Fill in the details of the intermediary server you will be using to send syslog data to InsightIDR.
  2. Select an available port which will also be used to configure the communication of the server with InsightIDR.

Set up SCADAfence in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Third Party Alerts section, click the SCADAfence icon. The Add Event Source panel will appear.
  4. Name your event source.
  5. Choose the collector you set up in the Before your Begin step.
  6. Choose the collection method to be “Listen on Network Port”.
  7. Set the Event Source port to the same port you selected during the Configure SCADAfence to send data to your Collector step.
  8. Click Save.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector:

  1. Click Data Collection in the left menu of InsightIDR and navigate to the Event Sources tab. Find the new event source that was just created and click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu of InsightIDR.
  3. Select the applicable Log Sets and the Log Names within them. The Log Name will be the name you gave to your event source. SCADAfence logs flow into the Third Party Alerts log set when the log line has the status of “CREATED”. Otherwise, SCADAfence logs can be found in the Unparsed Data log set.

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Logs

Here is an example of what the SCADAfence log search data looks like:

json
1
Feb 3 11:06:44
2
sf-virtual-machine CEF: 0|
3
SCADAfence|
4
SCADAfence Platform|
5
6.4.2.48|
6
3000|
7
Use of deprecated protocol - SMBv1|
8
2|
9
alert_ip=10.33.150.0
10
site=N/A alert_seq=454
11
status=CREATED
12
createdOn=2021-01-31 09:02:53
13
updatedOn=2021-02-03 11:01:47
14
details=10.33.150.0 communicated with 10.33.33.10 over the deprecated SMBv1 protocol. explanation=SMB is a protocol used for file and printer sharing in Microsoft systems. A number of vulnerabilities exist in the first version of the protocol. This protocol, if unpatched, could indicate propagation over the MS17-010 (EternalBlue) vulnerability, commonly used by WannaCry or MS08-67 (Conficker) vulnerability.
15
remediation=Make sure the OS on the device is patched for SMBv1 vulnerabilities. Consider updating the system to use a more advanced and secure version of the protocol, either SMBv2 or SMBv3. Scan the device with an Anti-Malware/Anti-Virus software to make sure it's not infected with malware (possibly, the WannaCry malware) Continue monitoring the device, to make sure it's not trying to infect other computers
16
url=https://192.168.0.0/alerts/454