Skip to main content
Version: 1.1.0

Alerts Handling

The Superna Data Security Essentials provides alerting capabilities through two primary channels:

  • Email Notifications
  • Windows Event Log Integration

Alerts are sent via email to designated recipients, ensuring immediate awareness of critical events. Administrators can specify the email accounts to receive notifications. See the Email Configuration section to review email setup instructions.

Additionally, the software supports Windows Event Log integration, allowing alerts to be seamlessly integrated with any Security Information and Event Management (SIEM) system. This integration enables comprehensive monitoring and centralized management of alerts across the organization's IT infrastructure.

The alert syntax allows filtering alarms within SIEM alarm forwarding.

Each alert is stored in the data section of every Windows event log entry generated by Data Security Essentials. The format is UTF-8 JSON.

ServiceNow Integration

How to Configure Data Security Essentials

Data Security Essentials saves alerts to the Windows Event log to a custom application log. This integration will extract the log entries and the json payload contained within them and format as webhook data to send to ServiceNow Scripted Endpoint.

alt text

Requirements

  1. Follow the ServiceNow integration steps above to configure the Scripted REST API endpoint.
  2. Install Python for Windows on the Data Security Essentials host, ensuring it's added to the system path during installation: Python for Windows.
    note

    Install for all users to allow service accounts access.

  3. The integration code matches event log entries from Custom Trigger BOT policies and File Management policies.
  4. Event log source names:
    • Superna Data Security Essentials BOT Service
    • Superna Data Security Policy Engine

Features

  1. Logging: Logs for each execution are stored in a designated path with the Python code. alt text

  2. Event Record Tracking: Each execution saves the last processed event’s details (ID, date, and event number) in a file named last_processed_record.txt to resume from the last processed point.

  3. Scheduled Sync: The script runs every minute, processing only new events since the last recorded one, logging each processed event.

  4. Event Filtering: Only events of Warning level or higher are processed; informational events are skipped.

  5. SIR Incident Updates: The ServiceNow Scripted endpoint will update Security Incident Response (SIR) incidents based on event IDs from Data Security Essentials.

Steps to Configure Event Sync to ServiceNow Security Incident Response module

  1. Download the integration code template

  2. Modify the Python code:

    • Update the ServiceNow endpoint URL in the section labeled # Your ServiceNow webhook details.
    • Make sure it matches your instance URL and the Scripted Webhook URL created earlier.

  3. Copy the Python code:

    • Place it in C:\Program Files\Superna\cgi-bin on the Data Security Essentials host.
    • Name the file dse-servicenow-sir-integration.py.

  4. Install Python dependencies:

    • Open a command prompt as the dse-service account by right-clicking and choosing to run as that user.
    • Use the following command to install required libraries:
      • pip install pywin32 requests

  5. Test the script:

    • Navigate to C:\Program Files\Superna\cgi-bin.
    • Run the script with python dse-servicenow-sir-integration.py.
    • Check that the output displays relevant event log entries (ignoring informational events) and sends JSON data to the ServiceNow endpoint, mapping the necessary data to the SIR incident.
    • Example output alt text

  6. Steps to Schedule sync alerts into ServiceNow Security Incidents:

    • Open secpol.msc and navigate to Local Policies.
    • Grant the Data Security Essentials AD service account (e.g., dse-service) the "Log on as a batch job" permission. alt text

  7. Save the Task Scheduler XML File:

    • Download and save the Task Scheduler XML file linked in the instructions to your system.

  8. Set Up the Task in Task Scheduler:

    • Open Task Scheduler by running taskschd.msc. alt text
    • Right-click on "Task Scheduler Library" and select "Import Task...".
    • Import the previously saved XML file.
    • You will be prompted with the task definition, update the service account information to match your specific account name and domain, then enter the password.
    • Ensure all settings are correctly configured and adjust any necessary parameters as needed. alt text