Accenture MDR Quick Start Guide for Acalvio ShadowPlex

Owned by KS
Last updated: May 02, 2021
2 min read

This quick start guide will help Accenture MDR customers configure Acalvio ShadowPlex to send logs to the Log Collection Platform (LCP).

 

This document includes the following topics:

 

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Acalvio ShadowPlex

LCP

514 (UDP) or

601 (TCP)

Default port

Configuring Acalvio ShadowPlex

  1. Click Setup from the ShadowPlex Admin Console menu.

  2. On the Global Configuration page, navigate to the SIEM Integration tab.

  3. Select the SIEM system from the left-hand menu that the enterprise uses.

  4. Select HP ArcSight, RSA NetWitness or Generic from the list of Splunk, HP ArcSight, IBM QRadar, RSA NetWitness, or any other Generic SIEM system.

  5. Slide to enable SIEM Integration.

  6. Enter the Hostname or IP Address of the LCP server.

  7. Enter the Port where the LCP is configured to listen for data . Click (+) to increase the Port number or Click (-) to decrease the Port value.

  8. Select the Protocol (UDP or TCP) from the drop-down menu. This is the protocol that will be used by ShadowPlex to connect and push the logs to LCP.

  9. The value in Message Format is pre-populated as CEF. This defines the format in which the incidents data from ShadowPlex is posted on to the LCP

Note: Collector supports the CEF format as we get richer set of information in a structured manner.

  10. Specify the Syslog Timezone.

11. If a Generic SIEM System is used, then additional fields for Username and Password is required.

12. These values are mandatory fields for ShadowPlex to be able to connect and push the logs into the Generic SIEM System.

LCP Configuration Parameters

Table 1-2: The Acalvio ShadowPlex event collector (Syslog -3866) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

 Protocol

UDP

Default protocol for syslog events. The collector can also accept logs in TCP 

Note: This does not support syslog over TLS

Hostnames / IP Address

Acalvio Interface IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team.

Signatures

 |Acalvio|ShadowPlex| 

MDR recommended signatures processed by the Acalvio ShadowPlex  event collector.

Port

514

The default port for syslog.

 

 

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.