Getting Started - 2 - Enhance Data

This guide is part of a 3 part Getting Started series:

1. Enable Data Flow
2. Enhance Data
3. Customise

---

This guide aims to help you take advantage of the advanced features within Secure60 to maximise your cyber security protection.

Completion of this guide will enable the follow benefits across your business:

1. User and Entity Behavioural Monitoring
2. Advanced Threat Detection

Overview

In this guide we will enhance the configuration of the Secure60 Collector, This enhancement takes the form of optimising the format of the data that is being ingested into the platform through tranformation of specific data into a common format - The Secure60 Common Information Model.

Once you have completed this guide you will have rich, formatted information being sent from the Secure60 Collector into the Ingest endpoint in the Secure60 platform.

Requirements:

• Any OS (Linux, Mac or Windows)
• Docker installed on OS
• A Secure60 account and username (contact support@secure60.io to have an account created)
• Secure60 Collector installed and configured - See Guide 1 for detail

Step 1 - Enable custom transformations

The Secure60 Collector has built in switches to enable transformatin of specific types of incoming data. We will present an example below.

The configuration needed to enable this is to specify which incoming Event fields need to be transformed. With this in mind you configure both a fieldname and fieldvalue to match a specific data source type.

Example AWS Data Transformation:

To transform AWS data into the Secure60 format you would add the following variables to your Secure60 Collector .env file:

ENABLE_AWS=true
ENABLE_AWS_MATCH_FIELD=.source_type
ENABLE_AWS_MATCH_VALUE=http_server

The above configurtion looks for a fieldname called .source_type and a value of http_server to process for AWS data - This means that you would be sending your AWS Cloudtrail information into the HTTP (or HTTPS) incoming interface.

The following raw data:

{"Records": [{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDA6ON6E4XEGITEXAMPLE",
        "arn": "arn:aws:iam::888888888888:user/Mary",
        "accountId": "888888888888",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "userName": "Mary",
---- snip-----
    },
    "eventTime": "2023-07-19T21:25:09Z",
    "eventSource": "iam.amazonaws.com",
    "eventName": "CreateUser",

As long as the ENABLE_GENERIC_NORMALISE=true is also set this would be transformed into the Secure60 schema:

.source_system: "iam.amazonaws.com"
.timestamp: "2023-07-19T21:25:09Z"
.event_operation: "CreateUser"
.user_name: "Mary"
.auth_principal_id: "AIDA6ON6E4XEGITEXAMPLE"

Step 2 - Enable rules for specific platforms or applications and UEBA

Now that you have data flowing in a normalised and configured format you can enable Secure60 Rules that leverage this information.

Project -> Settings -> Rule Groups

Click “Add Rule Group” and then select: Secure60 - Managed Rules - AWS and Secure60 - Managed Rules - User Entity Analytics for example to enable AWS specific rules and also the overall Secure60 User and Entity based tracking system.

Congratulations, You now have enabled advanced data transformation and analytics

For any further questions make sure to reach out to support@secure60.io, We have a team ready to assist with any futher questions