LogoLogo
  • Introducing dope.swg
    • Changing the Rules...
    • Quick Start Guide
      • Create a dope.swg Account
      • Get Started with the dope.endpoint
      • Import User and Group Data
      • Create a dope.swg Web Policy
    • Mitre ATT&CK and Nist CSF
  • dope.console
    • Analytics
      • Overview dashboard
      • Policy View
      • Productivity
      • Shadow IT
      • Detail View
    • dope.swg Policy
      • Editing the Base Policy
      • Adding Policy Exceptions
      • Assigning a Block Page
      • Creating Custom Categories
      • URL Bypass List
      • Application Bypass List
      • Default Bypass List
      • Cloud Application Control (CAC)
        • Microsoft O365
        • Google
        • Box
        • Salesforce
        • Dropbox
        • Slack
        • WebEx
      • Custom Policy
      • Policy Assignment
      • Policy Inheritance and Customization
    • CASB Neural
      • Microsoft 365 - Authentication
      • Google - Authentication
      • CASB DLP
        • DLP Files Table
    • Endpoint Manager View
      • Searching the View
      • Filtering and Sorting the Endpoint View
      • Endpoint Count
      • Running Diagnostics
      • Disable Endpoint
    • Settings
      • General
      • Block Pages
      • Endpoints
      • Users
        • Importing from Google
        • Why not SAML & SCIM?
      • Audit Log
      • SIEM Integration
        • Category & Verdict Mappings
      • API Client Credentials
      • Billing Details
    • Notifications
      • SSL Errors
  • dope.endpoint
    • Trusted Process Names
    • Generate Diagnostics
    • Disable Endpoint
    • Installing using MDM on Mac
      • Using JAMF
      • Using Kandji
      • Using Intune
    • Installing using Intune on Win
    • Mac Installer
      • Installation Process - Silent
      • Uninstall
      • Endpoint Authentication
    • Windows Installer
      • Installation Process - Silent
      • Uninstall
      • Endpoint Authentication
    • dope.endpoint UI
      • Windows UI
      • macOS UI
    • Automatic Updates
  • Release Notes
  • DOPE.APIs
    • Public API Specification
Powered by GitBook
On this page
  • Configuring the integration
  • Provide S3 Bucket Name
  • Configuring the AWS S3 Bucket Policy
  • Synchronise
  • Synchronization Errors
  • Connection Lost
  • Log Data Format
  1. dope.console
  2. Settings

SIEM Integration

PreviousAudit LogNextCategory & Verdict Mappings

Last updated 5 months ago

It is possible to integrate your dope.swg with whichever SIEM tool your organization is using.

Simply provide dope.security with the location of your organizations AWS S3 Bucket where we can send all of web transactions from each dope.endpoint.

Each dope.endpoint sends all web transactions for that endpoint to the dope.cloud every 15 mins. Once SIEM Integration is enabled the dope.cloud will ensure all of this log data is sent to your organizations AWS S3 bucket as it is received from the dope.endpoint.

The data is sent to the AWS S3 Bucket in a compressed GZIP format. This data can then be ingested into whichever SIEM product your organization is using.

Configuring the integration

Provide S3 Bucket Name

The first step to configure SIEM integration is to navigate to the Settings -> SIEM page. From here you must provide the name of the AWS S3 Bucket where you want to the dope.cloud to send the log data to.

Your AWS S3 Bucket must be in the AWS region noted on the right-hand side of the SIEM integration page on the right-hand side (above).

e.g. US-EAST-2 should have a US-EAST-2 S3 Bucket location

Configuring the AWS S3 Bucket Policy

The AWS S3 bucket that you want to log data to be sent to must be configured to give the dope.cloud write access.

Within the SIEM integration page on the right hand panel dope.security have provided the policy that the AWS S3 Bucket needs to be configured with. You need to copy and paste this policy and use it to configure the organizations AWS S3 Bucket.

Synchronise

When everything has been configured correctly a successful synchronization will be clearly indicated on the SIEM page.

A green tick will appear next to the AWS S3 Bucket name and the last synchronization time will appear on the top right of the page.

Synchronization Errors

Where the synchronization fails it will be because of one of the following errors:

  • AWS S3 bucket not found

  • AWS S3 Bucket needs to be in Data Residency Region

  • AWS S3 access policy is not set

  • AWS S3 access policy is incorrect.

The synchronization failure will be clearly indicated on the SIEM page.

Connection Lost

It is possible that connection to the AWS S3 Bucket could get lost. This will result in log data not getting sent to the organizations AWS S3 Bucket. The reasons for a lost connection be because of one of the following errors:

  • AWS S3 bucket not found

  • AWS S3 Bucket needs to be in Data Residency Region

  • AWS S3 access policy is not set

  • AWS S3 access policy is incorrect.

If this happens then notifications will appear in two locations.

The SIEM Integration page will clearly indicate that the connection is lost and will indicate the possible reasons.

The Audit Log will have an event posted that shows the number of files that have not been sent to the organizations AWS S3 Bucket.

Screenshot needed

When connection to the AWS S3 Bucket is restored then the SIEM page will again indicate that the synchronization was successful. There will also be a connection returned event added to the Audit Log.

Log Data Format

The data is sent in JSONL format below you can find the JSON Schema and an example JSONL file.

Below is a description of each parameter in the JSONL file

Parameter
Description

Timestamp (ISO 8601 time format)

The timestamp of when the web transaction was requested

Duration

The duration that the connection was open for, this is in milliseconds

Matched Destination

The domain that the dope category was matched against

Destination IP

The destination IP address for the requested URL

Tenant ID

The customers dope.cloud unique tenant ID

Agent ID

The unique agent ID for the dope.endpoint where the data is being sent from

User

The logged in user on the dope.endpoint

OIDC User

The email address for the authenicated user on the dope.endpoint. Only shown when OIDC authentication is enabled

Categories

Verdict

The policy verdict for the requested URL. This can be Allow (0), Block (1), Warning (2) or Bypass (3) where the URL is part of a policies bypass list.

Data Sent

The amount of data sent in the connection

Data Received

The amount of data received in the connection

Policy Type

The type of policy that was applied to the URL.This can be either Web, Cloud Application Control (CAC), Custom Category or Malware.

Block Detail

Populated for a block verdict. It will be either a dope category, a custom category, Cloud Application or a malware type.

Filename

The name any file downloaded.

File Hash

The file hash for the downloaded file

Process Name

The name of the process making the URL request.

URL

The complete requested URL

Policy Name

The name of the policy applied

Protocol

Protocol used, e.g.: HTTP/2, HTTP/1.1

Hostname

Device hostname

HTTP Request Method

HTTP Request Method e.g. Put

Process Call Tree

Shows the parent-child relationships established via process spawn operations, also includes the command arguments

Once the AWS S3 Bucket is configured correctly return to the Settings -> SIEM Page and simply click the Sync Button

The matched for the requested URL

dope category numbers
8KB
Dope-SIEM-Schema.json
Schema File
911B
SIEM JSONL Example.json
SIEM JSONL Example
Ensure your S3 bucket is in the location shown on the right-hand side (US-EAST-2 in this example)
Successful Synchronization
SIEM Page Lost Connection