Having data security processes in place isn’t worth much if you can’t monitor and manage them. To help with this challenge, Veritas NetBackup release 10.2 expands support for Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and Extended Detection and Response (XDR) security monitoring/management platforms.
Our SIEM/SOAR/XDR support sends NetBackup audit logs to external SIEM/SOAR/XDR security management solutions where they can be monitored and managed. Administrators can select which SIEM/SOAR/XDR solutions receive audit logs, and which parts of the audit logs are sent. These selections can be changed over time to fine-tune the audit data to the reporting requirements for NetBackup.
Release 10.2 expands our SIEM/SOAR/XDR support with Microsoft’s Azure Sentinel. Microsoft describes Azure Sentinel at this link:
What’s SIEM/SOAR/XDR Data Security?
The Gartner Group defines the SIEM, SOAR and XDR platforms similarly. They say SIEM "supports threat detection, compliance and security incident management through the collection and analysis of security events, as well as a wide variety of other event and contextual data sources." Likewise, SOAR allows "organizations to collect inputs monitored by the security operations team." Last, XDR is "a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components." While being very similar, there are major differences between these platforms.
A SIEM solution takes in event/audit information from all kinds of IT devices and sources, such as appliances, firewalls, intrusion detection systems, etc. It stores and sorts events/audits, and then analyzes them for trends and failures, indicating security problems. This analysis is performed with machine learning/AI, or in some cases special hardware sensors. But a lot of manual intervention is still required with a SIEM solution to keep it performing well.
A SOAR solution takes in event/audit information just as SIEM does, but then it goes further. SOAR uses case (workflow) management to make analyzing and investigating the gathered data easier and faster. This allows a quicker defensive response to discovered attacks and weak points. Playbooks control these responses (pre-designed and usually automated workflows).
XDR solutions emerged in 2018 to do what SIEM and SOAR do, and more. XDR standardizes all the collected event/audit data and uses it as a centralized security incident and response system. However, XDR doesn’t offer the log management, or the long-term retention and compliance capabilities of SIEM.
SIEM, SOAR, and XDR systems are often merged into one vendor solution so that the strengths of each work together. This merged solution approach is why NetBackup release 10.2 and beyond support SIEM/SOAR/XDR platforms.
How NetBackup Sends Events to SIEM Platforms
The figure below shows how NetBackup sends events to SIEM platforms using Microsoft Sentinel as an example. A workspace key and ID are required for NetBackup to connect to Sentinel. These are generated in Sentinel via its SIEM WebUI/API interface and stored and used by the NetBackup primary server. Once NetBackup can connect to Sentinel, NetBackup audits its own logs for the type(s) of alerts you’ve configured for forwarding to Sentinel. The selected alerts are then sent to Sentinel as audit alert broadcast messages.
New additions in future releases will use the same configuration and operation logic as Sentinel. Note that you’ll be able to activate and deactivate audit event transmissions to any SIEM/SOAR/XDR target at any time.
A Quick Tour of Connecting NetBackup 10.2 with SIEM/SOAR/XDM Platforms
The Sentinel workspace to receive audit alerts from NetBackup must already exist before it can be selected as an audit alert target. The example workspace in the figure below is “sentinel1.” Search the Sentinel documentation for accessing the “Log Analytics Agents Instructions” feature to display workspace IDs and keys as shown. Existing IDs and keys can be copied, or new ones generated if needed.
Once you have a copy of the workspace ID and key, you can configure the workspace in NetBackup as an audit event target. Login to NetBackup WebUI. SIEM targets can only be configured in the WebUI. Go to Security -> Security events -> Audit event settings as shown below.
Click the “Send audit events to log forwarding endpoints” checkbox, then click on “Select Endpoints” tab when it appears as shown below.
Click the “Microsoft Sentinel” checkbox, then the “Add a new credential” button. Enter the workspace ID and key and save the changes. The new credential for Sentinel appears as shown below. Click on the dot menu and select “Edit.”
Enter a tag (optional), description, workspace ID, and workspace primary key, as shown below. Click “Next.” The credential is updated. Click “Save.”
NetBackup can now send audit events to Sentinel as shown below.
Now that you have a target workspace to receive audit alerts, click “Edit” to select the audit event categories you want to forward to selected endpoints. By default, all categories are selected. Click the checkboxes of the audit categories to select/unselect them shown and click save.
NetBackup is now configured to send the audit events you selected to the Sentinel workspace you specified. Only new audit alerts will be forwarded when they are generated. Click “Close.” A summary of your Sentinel configuration is displayed, as shown below.
NetBackup 10.2+ SIEM/SOAR compatibilities make monitoring NetBackup from SIEM/SOAR platforms easy and simple. Now all your NetBackup alerts can post in your SIEM/SOAR reporting automatically. Even better, this reporting is easily expanded as you add new SIEM/SOAR platforms. Be sure to use this functionality in your environments wherever possible.
Microsoft has announced end of life for the log analytics agent
"The Log Analytics agents (MMA.OMS) used to collect logs from virtual machines and servers will no longer be supported from August 31, 2024. Plan to migrate to Azure Monitor Agent before this date. "
Please validate your product will work with AMA instead of MMA and update the procedural guidance