Introduction
Logsign helps organizations to improve their cyber resilience through avoiding risks and chaos, besides ensures compliance with relevant regulations by bringing together all data, threat detection, investigation and incident response capabilities on a single, unified-whole platform.
This is achieved through the integration of various native Logsign tools such as Security Information and Event Management (SIEM), Threat Intelligence, User Entity Behaviour Analytics (UEBA), Threat Detection, Investigation, Response (TDIR).
Logsign Unified SecOps Platform is a comprehensive security tool that enables you to create a data lake, investigate threats and vulnerabilities, analyze risks, and respond to threats automatically.
The platform’s automation and orchestration capabilities come from SOAR experience and are involved in every stage of the detection, investigation, and response processes. This enables the eradication and mitigation of threats and vulnerabilities in seconds, reducing MTTD and MTTR.
As an Unified Security Operations Platform, it works seamlessly with other components of a Security Operations Center.
In this document, MSS Integration between centralized USO platform and End Users' platforms will be explained.
Incident Forwarding Process on End Users' USO Platform
Firstly, integration should be defined on the "Responses" tab under the Integrations in USO Platform.
Then MSS integration is added in Action rules section from the Logsign Unified SecOps Platform.
Click the "+Add" under the Settings-Action Rules tab.
The alerts are selected from the screen that appeared and click on the "Next" button.
Response method is selected as MSS from the "Actions & Conditions" screen and the processes are completed in end-users' platform.
Adding Organization on Centralized USO Platform
Organisations are added on Organisations tab in Centralized USO Platform.
Organisations are added according to HostID's and the End Users' name.
Then, for MSS (CyFusion side), execute commands below on CLI;
# cp /opt/logsign-poller/logsign-comanaged-collector.service /lib/systemd/system
# systemctl enable logsign-comanaged-collector
# systemctl start logsign-comanaged-collector
Then for the client side, execute command below on CLI;
# cp /opt/logsign-postproces/logsign-mss-action-worker.service /lib/systemd/system
# systemctl enable logsign-mss-action-worker
# systemctl start logsign-mss-action-worker
# systemctl restart logsign-api
After all of these processes has been completed, incident will be collected on Centralized USO Platform with Organisation Names. They can be tracked on Incident Management or monitored with different types of Dashboards. All incidents
Management of Responses on Client Side
All incidents coming to Cyfusion are categorized based on the organization. This area can be viewed in the "Organization" tab.
To manage the process and take action for any incident, you simply need to press the "Magic Button." In the window that opens, you will see both Cyfusion response integrations and the client's response integrations for the incident. Then you can select the integration you want to use and utilize the specified methods easily.
Note That: During the process, communication between the Logsign Cyfusion and Logsign Unified SecOps Platform is established over HTTPS through a tunnel.