Accenture MDR Quick Start Guide for Lancope StealthWatch®

Owned by KM (Unlicensed)
Last updated: Aug 06, 2024 by Aparna Rr
3 min read

This quick start guide will help Accenture MDR customers configure Lancope Stealthwatch® to send logs to the Log Collection Platform (LCP).

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in

Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Lancope Stealthwatch

LCP

514 (UDP)

Default port

Configuring Lancope Stealthwatch

To configure Lancope Stealthwatch, follow the steps below. 

  1. Login to the Stealthwatch Management console. 

  2. Go to Configuration > Response management.

3. In Edit Syslog Format pop-up, type the following:

  • In the Name text box, type a name for the syslog format.

  • In the Description text box, type a description for the format.

  • From the Facility drop-down list, select Local 0.

  • From the Severity drop-down list, select Informational.

  • In the MSG Part text box, copy and paste the below fields

Lancope|StealthWatch|time|{time}|target_hostname|{target_hostname}|alarm_severity_id|{alarm_severity_id}|alarm_type_id|{alarm_type_id}|alarm_type_description|{alarm_type_description}|port|{port}|target_ip|{target_ip}|target_mac_address|{target_mac_address}|target_label|{target_label}|alarm_type_name|{alarm_type_name}|source_hostname|{source_hostname}|source_ip|{source_ip}|source_mac_address|{source_mac_address}|source_username|{source_username}|device_ip|{device_ip}|device_name|{device_name}|details|{details}|protocol|{protocol}|alarm_id|{alarm_id}|alarm_category_name|{alarm_category_name}|start_active_time|{start_active_time}| end_active_time|{end_active_time} 

Note: 

  • Ensure that there are no spaces in the above log format. 

  • The alarm_category_name|{ALARM_CATEGORY_NAME.EN_US} field is not available for version 6.6.1.

4. Click OK.

5. In the Response Management window, go to Actions > Add. Select Syslog Message and then click Ok.

6. In Add Syslog Message Action pop-up window, type the following

  • In the Name text box, type the name of the LCP.

  • In the Description text box, type the description for the LCP.

  • In the IP address text box, type the LCP_IP_address.

  • In the Port text box, type 514

  • From the Format drop-down list, select the format you have created in step 3.

  • Click OK.

7. In the Response Management window, go to Rules > Add > SMC system alarms and then click OK.

8. Select Rule and type a name for the rule.

9. In the This rule is triggered if section, click any button with three dots (…) on it.

10. In the left list box, select Severity and in the right list box, select Informational and then click OK.

11. Select Actions > Add. Select the action you have created as per steps mentioned above and click OK, and then OK.

12. Repeat steps 3 - 6 to rename the following four options under the Rule section.

Outcome:

  • Supported log collection mechanism - Syslog

  • Preferred log collection mechanism - Syslog

  • Event flow logical diagram - SMCàRemote Syslog Server

To configure Lancope StealthWatch (version 7.4.2): 

  • Navigate to Response management and Select Syslog Formats.

  • Enter Name and Description field accordingly.

  • Select Facility as Local 0 and Severity Informational.

  • Under Message, enter the below format: 

Lancope|StealthWatch|time|{time}|target_hostname|{target_hostname}|alarm_severity_id|{alarm_severity_id}|alarm_type_id|{alarm_type_id}|alarm_type_description|{alarm_type_description}|port|{port}|target_ip|{target_ip}|target_mac_address|{target_mac_address}|target_label|{target_label}|alarm_type_name|{alarm_type_name}|source_hostname|{source_hostname}|source_ip|{source_ip}|source_mac_address|{source_mac_address}|source_username|{source_username}|device_ip|{device_ip}|device_name|{device_name}|details|{details}|protocol|{protocol}|alarm_id|{alarm_id}|alarm_category_name|{alarm_category_name}|start_active_time|{start_active_time}| end_active_time|{end_active_time}

Ensure that there are no spaces in the above log format.
alarm_category_name|{alarm_category_name} field is not available for version 6.6.1.

  • Select Actions > Add. Select Syslog Message and click Ok.

  • Provide name and IP address of the LCP and port 514

  • Select Rules, enter Name and Description Accordingly.

  • Toggle ON the Enable button

  • Select the Rules condition as shown below under "Rules is triggered if" 

  • Repeat above steps for the rule options mentioned below:

  • Click Save.

LCP Configuration Parameters

Table 1-2: The Lancope Stealthwatch event collector (Syslog-3707) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Protocol

UDP

The default protocol for syslog.

IP Address

Lancope Stealthwatch device IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the MDR onboarding team.

Signatures

Lancope|StealthWatch| 

MDR recommended signatures processed by the Lancope Stealthwatch event collector.

Port Number

514

The default port for UDP. 

Note: The LCP can be configured to listen on a non-standard port, please advise the MDR onboarding team if this is a requirement.

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.