Document Version: 3.2

Date: 2020-06-23


Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.



Introduction

This document provides users with a comprehensive overview of how to setup and use Integrations module in OUTSCAN™ and HIAB™. This document has been elaborated under the assumption that the reader has access to the OUTSCAN /HIAB account and portal interface.


Overview

Integrations Overview

 INTEGRATION

DATA

SW / API VersionPlatform

OUTSCAN

HIAB

Identity Provider

Authentication <

SAML 2.0

X

X

Splunk

Events >

(not available)

X

X

Atlassian Jira

Events >

Tested with 7.1.9

X

X

ServiceNow

Assets <
Findings >


Istanbul

Jakarta

Kingston

Madrid

New York

X

X

Amazon

Assets <

AWS API V1

X

X

CyberArk

Credentials <

Tested with 9.6

X

X

SAML/SSOAuthentication

XX

LDAP/AD

Users <
Targets <

LDAPv3


X

Syslog/ Syslog TLS

Events >

(own implementation)


X

ArcSight

Events >

(not available)


X

SNMP

Events >

2 and 3


X

Database Connector

Events >
Findings >

All most recent versions of
  • MS SQL
  • MySQL
  • PostgreSQL


X

ThycoticCredentials <Tested with 10.7
XX
Azure AD


XX



Note

The arrows represent if our platform takes the data from the integrated system as an input or if it sends the data to the integrated system as an output.


Getting Started

There are two ways of launching your applications.

  • From OUTSCAN
  • From a HIAB

OUTSCAN

To launch the OUTSCAN application, navigate to https://outscan.outpost24.com.

Note

Use HTTPS protocol.

Login OUTSCAN


Log in using your credentials.

HIAB

To connect to a HIAB, use the assigned network address.

Note

Use HTTPS protocol.

Login HIAB

Log in using your credentials.

Note

Make sure that the account you are using is a Main User/Super User account.

Identity Provider

An Identity Provider (IdP) offers user authentication as a service. It is a trusted provider that allows the use of single sign-on (SSO) to access other application. SSO enhances usability by reducing password fatigue as passwords are maintained on your IdP.

Set Up Identity Provider

Requirements

To enable SSO on HIAB/OUTSCAN you will have to import meta-data from your IdP into HIAB/OUTSCAN. You will also need to export the service provider’s meta-data from HIAB/OUTSCAN and import it to your IdP.

Note

While reading the response from IdP during signing in to our portal, we accept signed assertions with parameters. The parameters list which your IdP is returning in response must include your user name in a parameter. By default it is set to parameter named uid but you can set up to different parameter (eg Subject attribute).

Set up Identity Provider Integration

To set up Identity Provider:

  1. Go to Menu > Settings > Integrations > Identity Provider.



  2. Provide the below information to enable Identity Provider (IdP):
    • Enabled: Select the Enabled checkbox to enable the protocol for single sign-on trusting another source to log in.

 Use one or both of the following option to provide metadata of IdP:

    • Get metadata from file: Select Identity provider’s metadata file by clicking the + symbol beside the field.
      Metadata contains information such as how it works, what type of login is acceptable and so on.
    • Get metadata from URL: Provide a URL from which the OUTSCAN or HIAB (Service Provider) should fetch metadata from IdP.
    • Subject attribute: Enter uid string. This field cannot be left empty.

      Note

      The parameter name must be typed as expected in the SAML authentication response (one single word starting with lowercase and may include some upper cases (eg camelCase)).

    • Signature hash algorithm: Select between SHA-256 or SHA-1.

After enabling the required settings:

  1. Click Save to save the current settings.
  2. Click Reset to fully remove the current settings. This disables the integration.
    • IDP Metadata: Click this button to display the currently uploaded metadata of the Identity Provider.
    • SP Metadata: Click on this button to display the service provider’s metadata.



Splunk

Splunk is a software for searching, monitoring, and analyzing machine-generated big data. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

A trial version of Splunk can be downloaded from the official Splunk website. It is implemented in both OUTSCAN and HIAB and is mostly used in Event Notification system and Audit Log.

Note

Splunk is integrated with both HIAB and OUTSCAN. This guide describes the integration from a HIAB, but the procedure is the same for OUTSCAN.

There are two ways of integrating with Splunk:

  • Create a User with a role for a TCP mode.
  • Create an HTTP Event-Collector (HEC) for a HTTP Event-Collector mode that lets send data and applications events to Splunk over the HTTP and secure HTTP (HTTPS) protocols.

Prerequisites

  • To set up the HIAB/OUTSCAN-Splunk integration in TCP mode, it requires index, role, and user be already set up in Splunk.

    Tip

    It is recommended to create a new user with limited access rights and a separate Splunk index for the data sent from the HIAB to Splunk.
  • It is important that the index exists before defining a role for the HIAB access. Otherwise, the restricted access cannot be setup for the specific index. If an index has already been setup, skip to section Create a Role.
  • The HTTP Event-Collector does not require users and roles to be set up in Splunk since it uses a access token. However an index is required for the HTTP Event-Collector. If an index has already been setup, skip to section Create an HTTP Event Collector.

A Splunk index is a repository for data in Splunk which reside in flat files on the Splunk instance.

Splunk Integration - TCP 

Create Index

  1. Login with an existing Splunk account.



  2. Go to Settings on the top left menu and then click on Indexes in the DATA group.

    splunk02
    splunk03

  3. Click on the New Index button in the top right corner.

    splunk04

  4. Complete these details. In the steps below, HIAB is used as example.

    splunk05

  5. Click Save.

  6. The new index has been added to the list.

    splunk06

Create Roles

  1. Go to Settings on the top left menu and then click on Access Controls in the USERS AND AUTHENTICATION group.

    splunk07

  2. Click Add new on the Roles row in the table.

    splunk08

  3. Create a role in Splunk according to the HIAB Integration Mode you want to use.
    1. Create a role in Splunk and specify the following parameter for a TCP Integration. See Mode option in the HIAB Integrations Settings table.

      ParameterValue
      Namehiab-tcp-indexer
      Capabilitiesedit_tcp
      Indexes searched by defaulthiab
      Indexeshiab



      splunk09


      Note

      The role is only granted access to indexes defined here.

splunk10


 splunk11

Create Users

In this section we will add a new user (account) for the HIAB. This user will be given the role that was created in the previous step, this effectively limits the capabilities of this account to pushing data to the specified index.

  1. Go to the Access Controls.
  2. Click Add new in the Roles row of the table.

    splunk08

  3. Click Add new on the user row:
    • Name: HIAB
    • Assignrole: hiab-indexer

      splunk12


Procedure in HIAB/OUTSCAN 

  1. In the HIAB click the Main Menu > Settings > Integration
  2. Select the Splunk tab in the Integrations Settings window.

    splunk23

  3. Fill in the Integration settings as shown in the HIAB Integrations Settings table.
  4. Click the Save button.
  5. Click the Status button in the lower right corner to test the setup to Splunk.

    splunk24

The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.

Splunk Integration - HTTP Event Collector

Create an HTTP Event Collector

  1. Go to Settings on the top left menu.
  2. Click on Data Inputs in the DATA group.

    splunk13

  3. Click HTTP Event Collector in the HTTP Event Collector row of the table.

    splunk14

  4. Click the Global Settings button on the top right of the menu.

    splunk15

    splunk16

  5. Click the Enabled button.
  6. Select the Enable SSL checkbox.
  7. Enter the HTTP port number.
  8. Click the Save button.
  9. Click the New Token button on the top right to create the token.

    splunk17

  10. Select the HIAB index that was created in Creating Index section at the beginning of the configuration.

    splunk18

  11. Review the configuration and then click on the Submit button.

    splunk19

  12. Do not forget to register the Token Value given after submitting the configuration.

    Splunk20

Procedure in HIAB/OUTSCAN

  1. In the HIAB or OUTSCAN click the Main Menu > Settings > Integration.
  2. Select the Splunk tab in the Integrations Settings window.

    splunk21

  3. Fill in the Integration settings as shown in the Integrations Settings table.


    Integrations Settings

    OptionValue
    EnabledClick on this field to enable the Splunk feature.
    Mode
    • HTTP Event Collector - When selected, username and password is not available.
    • TCP - When selected, username and password fields are enabled.
    HostProvide your Splunk server name.
    PortProvide the management port that Splunk is using to communicate. 
    Default: 8089
    UsernameProvide username to authenticate against Splunk server.
    PasswordProvide password to authenticate against Splunk server.
    TokenHTTP Event Collector (HEC) tokens. HEC tokens are sent in the headers of the sent data packets to authenticate them with Splunk.
    IndexIf the user enters an index that does not exists, it will create a new one. All events will be prefixed with the index name.
    Send audit log
    (HIAB only)
    Check this box to send audit log entries to Splunk.
  4. Click the Save button.
  5. Click the Status button in the lower right corner to test the setup to Splunk.

The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.

splunk22


Note

The newly setup account only has access through the API and is only able to interact with the index, restricting its access.

Event Notifications for Splunk

Common Information Model

The Splunk CIM is a shared semantic model that focuses on extracting value from data. The CIM is an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.

Tip

You can now choose to send notifications related to Findings only in CIM format.
Outpost24 nameSplunk CIM
Script Namesignature
Script IDsignature_id
Targetdest_ip
Hostnamedest_name
Bugtraqbugtraq
Risk Levelrisk
CVSScvss
CVEcve
FamilyCatagory
Solution PatchesMSKB
Productvendor_product
Severityseverity

For settings, see Event Notifications


Atlassian Jira

Jira is a ticketing system which is implemented in both OUTSCAN and HIAB. It can be used in many ways and has different projects to organize the various usages. Tickets (issues) can be created with an assignee who is responsible for getting it done and a reporter who created it. When Jira is enabled, it will be visible as a ticket system, both in Assign Task and Event Notifications. Recently, 

Note

A linked issue can be created between projects or sub-tasks if it is a bigger task. The Jira instance must be running HTTPS.

Configuring OAuth in Jira

Note

This is required only when you use OAuth authentication method for Jira on OUTSCAN/HIAB. To set up, Jira Administrator access is a prerequisite.

Follow the below procedure to set up OAuth in Jira:  

  1. Login to OUTSCAN/HIAB.
  2. Go to Settings >Integrations and click on the Keys tab. If it has no content, click the Generate new button and copy the public key.
  3. Go to Jira and log in (as administrator).
  4. Go to Jira administration > Applications > Application links.

    Note

    To set up OAuth using Jira cloud, go to Jira administration > Products > Application links and then proceed according to the instructions.

  5. Enter the url to OUTSCAN or your HIAB and click on Create new link.

    Important!

    The url to OUTSCAN or HIAB must not end with a /.

    Ex:

    https://outscan.outpost24.com

    Note

    You might get a warning that no response is received, which is fine. 
  6. Click Continue.
  7. Now we set up the actual connection,
    1. Application Name: Provide a name for this connection to view in Jira.
    2. Application Type: Generic Application.
  8. Click the Create incoming link checkbox and click on continue.
  9. Fill in the remaining details:
    1. Consumer key: Any text string but maybe a randomly generated one.
    2. Consumer Name: Provide a name. It can be same as application name.
    3. Public Key: Paste the public key that is copied from OUTSCAN/HIAB.
  10. Click on Register Application.

Set Up Jira Integration

Prerequisites

  • HTTPS certificate from the Jira server.
  • The user should have permission to read issues and to create new issues.
  • It is required to have Jira set up to accept sub-tasks and priority fields, these must also be set as required in Jira.

  • It is important that no custom fields are set up to be required, since nor the HIAB or OUTSCAN does provide information fore those fields.

Setting up

To set up Jira:

  1. Download the HTTPS certificate from your Jira server.
  2. Go to Main Menu > Settings > Integrations.
  3. Select the Jira tab.
  4. Fill in the forms in the Integration Settings window for Jira. Depending on the type of authentication chosen, the options vary.

    1. When Basic Auth is selected, 

       

      OptionDescription
      Enabled

      Select the Enable checkbox to enable Jira. 

      URIProvide the URI of Jira server (only https protocol is supported).
      Project KeyProvide the project key from the Jira instance to use.
      Issue Type

      Jira can be used to track different types of issue. The common Issue types used are Bug, Epic, and Story. 

      Finished StatusMention the status of the Jira issue.
      Authentication

      Select Basic Auth.

      UsernameProvide the username to authenticate against Jira server. 
      PasswordProvide the password to authenticate against Jira server. 
      Link old issues

      Enable this feature if you want to link old issues. It is useful when you regenerate tickets for similar issue.

      Note

      When a ticket for a finding already exist in Jira but is closed, a new ticket is created. If the Link old issues check box is selected, the old closed ticket is linked to the new.

      CertificateUpload the SSL certificate of the Jira instance.

      Certificate uploaded 

      Displays Yes if a certificate has been uploaded and No if there is no certificate available.

      Reset (optional)

      Click Reset to fully remove the current settings. It disables the integration and it does not have to be done after you have disabled it since you might want to use the same settings again. 

    2. When OAuth is selected,



      OptionDescription
      Enabled

      Select the Enable checkbox to enable Jira. 

      URIProvide the URI of Jira server (only https protocol is supported).
      Project KeyProvide the project key from the Jira instance to use.
      Issue Type

      Jira can be used to track different types of issue. The common Issue types used are Bug, Epic, and Story. 

      Finished StatusMention the status of the Jira issue.
      Authentication

      Select OAuth.

      OAuth Consumer KeyProvide the same ConsumerKey that is set in Jira.             
      Link old issues

      Enable this feature if you want to link old issues. It is useful when you regenerate tickets for similar issue.

      Note

      When a ticket for a finding already exist in Jira but is closed, a new ticket is created. If the Link old issues check box is selected, the old closed ticket is linked to the new.

      CertificateUpload the SSL certificate of the Jira instance.

      Certificate uploaded 

      Displays Yes if a certificate has been uploaded and No if there is no certificate available.

      Authenticate

      Click on Authenticate to establish the connection. After clicking, it pops up with a link to your Jira.

      1. Open the link (either by clicking it which will open a new tab, or copy pasting it to your browser). If you do not have a valid session for Jira you will be asked to log in.
      2. It should open a page asking you to allow or deny the application (it will show whatever was configured as "Application name" here).
      3. Click Allow.
      4. Go back to OUTSCAN/HIAB  and press ok on the popup with the link.
      Reset (optional)Click Reset to fully remove the current settings. It disables the integration and it does not have to be done after you have disabled it since you might want to use the same settings again. 
  5. Click Save to save the current settings. 


Note

Unless you get any error, the Jira integration is now configured.

Tickets

Note

The user should have permission to read issues and to create new issues.

If you scan a lot of targets, it is recommended to have a separate Jira project for these tickets, since they can easily reach high in numbers. Every new finding can create one or more new tickets in your Jira server.

There is no maintenance needed except synchronizing configuration if you re-configure your Jira in any way. Synchronization between Jira and OUTSCAN/HIAB is periodic.

Note

This may cause up to X minutes delay in the update.

Creating a Ticket

After enabling Jira, use any of the following ways to create a ticket:

Method 1

  1. Go to Main Reporting Tools > Findings.
  2. Right click on any finding, select Assign task.

    Integration04

  3. Select Jira in the ticket system drop-down menu.
  4. Click Save to create a ticket.

Method 2

  1. Go to PCI scanning > Reports.
  2. Right click on a finding, select Assign task.
  3. Select Jira in the ticket system drop-down menu.
  4. Click Save to create a ticket.

Method 3

  1. Go to Event Notifications.
  2. Click +New.
  3. Select Jira in the Action drop-down menu.

    Note

    This action is only available for Finding Information, Low Risk, Medium Risk, and High Risk.

  4. Click Save to create tickets whenever a report is created with findings of the type of the event.



Keys

In this tab, you can generate a public key.

Note

This is currently used for OAuth authentication for Jira only.



ServiceNow

ServiceNow is a cloud service that can handle many different needs within a company. Some of its features are:

  • Ticket system
  • CMDB
  • Discovery server
  • Security management

When ServiceNow is enabled, it will be visible as a ticket system in Assign Task, and Event Notifications. It also adds an option of importing targets from ServiceNow and activating events and tools for adding tickets. If you disable ServiceNow, the targets will no longer update or scan via ServiceNow until you enable it again.


Ticket system:

A ServiceNow ticket created for a finding will be added as an Incident with target and script information and solution to the finding will be added as Problem. Synchronization between ServiceNow and OUTSCAN/HIAB is periodic. This may cause some delay in the update. With the ticket system, we recommend using old scans to add tickets that you want to get started, and then add the events you want for future scans.

Set Up ServiceNow

Prerequisites


Note

The ServiceNow account used for the integration needs to have Can create and Allow access to this table via web services for Incident and Problem tables selected in order for it to succeed.


The ServiceNow service requires an external OAuth Setup to be configured.

To configure OAuth Setup:

  1. Log in to ServiceNow using your credentials.
  2. Go to System OAuth > Application Registry in the ServiceNow service.
  3. Click New.
  4. On the interceptor page, click Create an OAuth API endpoint for external clients.
  5. Fill in the fields.
  6. Click Submit.


When completed, fill in the Client ID and Client secret (if used) in the Integrations window.

  1. Go to Main Menu > Settings > Integrations.
  2. Select the ServiceNow tab.



  3. Follow the below procedure to enable ServiceNow:

    OptionDescription
    EnabledClick on this field to enable ServiceNow.
    URIProvide the URI of ServiceNow server (only https protocol is supported).
    UsernameProvide the username to authenticate against ServiceNow server.
    PasswordProvide the password to authenticate against ServiceNow server.
    Client ID(If used) Provide your client ID which is generated using OAuth module.
    Client Secret(If used) Provide your client password.
    Add finding solution as problemClick on this field to view the finding solutions under Problems in ServiceNow. 
    CertificateUpload the SSL certificate of your ServiceNow instance.
    Certificate uploadedDisplays Yes if a certificate has been uploaded and No if there is no certificate available.
    App integration enabled(If used) Click on this field to enable ServiceNow app integration.
    App granted IP range(s)(If used) Add an IP range to restrict the access.
    SaveClick on this button to save your current settings.

After enabling ServiceNow, use any of the following ways to create a ticket in OUTSCAN/HIAB:

Method 1

  1. Go to Main Menu > Netsec > Reporting Tools > Findings.
  2. Right click on any finding, select Assign task.

    Integration04

  3. Select ServiceNow in the ticket system drop-down menu.
  4. Click Save to create a ticket.

Method 2:

  1. Go to PCI scanning > Reports.
  2. Right click on a finding, select Assign task.
  3. Select ServiceNow in the ticket system drop-down menu.
  4. Click Save to create a ticket.

Method 3:

  1. Go to Event Notifications.
  2. Click +New.
  3. Select ServiceNow in the Action drop-down menu.

    Note

    This action is only available for Information, Low-Risk, Medium-Risk, and High-Risk findings.

  4. Click Save to create tickets whenever a report is created with findings of the type of the event.

Incident

In ServiceNow a ticket is called an incident, when a scan encounters a finding, it creates a ticket that ends up in Incident > Open.

ServiceNow16



Amazon

Here you can set up to run scans against instances in the Amazon cloud. It will also enable the option to run discovery scans using ARNs added in this setup. Amazon service is implemented in both OUTSCAN and HIAB.

Note

Amazon targets can only be added to OUTSCAN/HIAB via discovery scans. Only OUTSCAN is Whitelisted by Amazon as an authorized scanner, and scanning from HIAB may require additional authorization from Amazon.

Set Up Amazon

To setup Amazon:

  1. Go to Main Menu > Settings > Integrations to open the Integration Settings window.
  2. Select the Amazon tab. 

    Amazon01

Follow the below procedure to scan instances:

  1. To enable this feature, select the Enabled box.
  2. Create a new user role with the Account Id and External Id noted.
  3. Apply IAM policy given below for the role on Amazon cloud to grant access to the targets.

    {
       "Version": "2012-10-17",
       "Statement": [{
          "Sid": "Stmt1400711494000",
          "Effect": "Allow",
          "Action": [
             "ec2:DescribeInstances",
             "ec2:DescribeRegions",
             "elasticloadbalancing:DescribeLoadBalancers",
             "elasticloadbalancing:DescribeTargetGroups",
             "elasticloadbalancing:DescribeTargetHealth"
          ],
          "Resource": ["*"]
       }]
    }

    Note

    Any role which gives you read-only access to the required Actions listed in the policy will work.

  4. Enter the Amazon Resource Name (ARN) for the newly created role in the table using + New button.
  5. Click Save to save the current settings.



CyberArk


Note

CyberArk is supported in HIAB and OUTSCAN for both internal and external IP addresses.

CyberArk provides a privileged account security solution and password vault. It is required to have the CyberArk AIM suite to use the integration.

Note

CyberArk authentication cannot be configured on the policy level, only on the target level.

Define the Application Manually via CyberArk 

To define the Application manually via CyberArk’s PVWA (Password Vault Web Access) Interface:

  1. Log on with a user allowed to managed applications (it requires Manage Users authorization)
  2. Go to Applications tab, click Add Application; the Add Application page is displayed.
  3. Fill with the pre-defined APPID the customer should use, specified in the Name field.

Set Up CyberArk in OUTSCAN or HIAB

To set up CyberArk in OUTSCAN or HIAB:

  1. Go to Main Menu > Settings > Integrations.
  2. Select the CyberArk tab.

    Integration07

    Provide the below information to use CyberArk:

    OptionDescription
    EnabledClick on this field to enable CyberArk.
    HostProvide the hostname to the CyberArk server.
    PortProvide the port that CyberArk accepts connections on.
    AppIDEnter the application ID, an authentication token from CyberArk.
    Default safeProvide the CyberArk safe name to be used as default.
    Default folderProvide the folder to search for secrets.
    SaveClick on this button to save your current settings.
  3. Click Save.


After enabling CyberArk:

  1. Go to Main Menu > Netsec > Manage Targets.
  2. Edit a target to setup the Authentication.
    CyberArk SSH and CyberArk SMB are now visible as new options.
  3. Click on any of the options to use the respective authentication.

    Integration08

  4. Provide your Credentials:

    OptionDescription
    Username

    Provide your username to use when authenticating to the target.

    Object name

    Check your CyberArk Vault administrator and provide the object name.  It is the name of the "secret" (which contains the specific credential).

    Override safe

    Provide a different safe name in case you wish to override the existing safe name.

    Override folder

    Provide a different folder name in case you wish to override the existing folder names. 

    Note

    The Override settings provide the ability to change (override) them on a specific target.

  5. Click Test to start a verification.
  6. Click Save to enable the current settings.



SAML/SSO

SAML is a Single Sign On (SSO) solution that enables the users to sign on using their own application instead of OP24 credentials. This makes it easier for the users since they only have to maintain one system for all applications that they have.

Single Sign On uses metadata and certificates to exchange trust. To log in, the Service Provider (SP) makes a request to the Identity Provider (IDP). This request contain information about who the SP is, how it wants the data presented, and where the response should be sent. The IDP checks the request and make sure that it recognize it and then send the user to log in.

If the user is already logged in, the IDP skip this step. If the user is not logged in, the user logs in with username and password or any other way that the IDP is set up to do.

After the user has logged in, the IDP sends a response to the SP containing information about the user, such as username, email, or other information requested in the SAML request. The SP check that it recognizes the IDP and then log the user in.

In most cases this means that the user activates the SAML request, gets redirected to the IDP and back, and then is logged in within seconds with no user credentials entered.

Solution

Requirements

The customer needs an IDP with an underlying LDAP or similar. The IDP must be reachable from the network of the OUTSCAN/HIAB and the username it returns must match the username in OUTSCAN/HIAB. There are many ways of getting an IDP depending on how much you want to be able to customize.

The IDP metadata tested before it is accepted into the OUTSCAN/HIAB. It has to have a valid until and it has to have a SingleSingOnService Binding with HTTP-Redirect. It also needs signing and encryption keys since everything is sent encrypted and demands signed responses.

Step-by-Step Guide

Integrating Onelogin as Identity Provider with OUTSCAN or HIAB as Service Provider.


  1. Get OUTSCAN/HIAB metadata by clicking on SP Metadata button on relevant windows.
  2. Go to Add App option under APPS tab in your onelogin account.
  3. Search for SAML in the search bar and select connector with attributes. We required signed assertions and according to onelogin, the connector highlighted in following picture fulfills our requirement (https://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector)



  4. Fill out the application name and save.
  5. Go to Configuration tab of application and fill out URL validator field according to onelogin guide (https://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector).
  6. Get response URL from OUTSCAN/HIAB metadata to fill ACS (Consumer) validator field.
  7. Set an additional parameter in Parameters tab.




  8. Fill out other tabs according to you policy. For example, give access and privileges to users etc.
  9. You may also need to give access of application in Applications tab of Users section.
  10. Get SAML Metadata from more action drop down.
  11. Open the metadata file and make sure it has validUntil value in EntityDescriptor tag.
  12. Upload metadata on OUTSCAN/HIAB.



LDAP/AD (HIAB only)

The Lightweight Directory Access Protocol (LDAP) or an Active Directory (AD) integration is used for several purposes, such as:

  • Authentication against the system with the purpose of user management, allowing organizational memberships or attributes from the AD dictate access in the HIAB.
  • Discovery scanning, implying that devices added in the active directory can be added as devices to the HIAB for scanning purposes.


To set up LDAP/AD, follow the below procedure:

  1. Go to Main Menu > Settings > Integrations.
  2. Select LDAP/AD tab.


HIABldap-ad01
The elements of the LDAP/AD tab are described below:

  • Enabled: Tick to enable the use of LDAP/AD feature.


Primary Server and Failover Server

The system allows you to define both Primary Server and Failover Server.
The Failover Server is accessed if the Primary Server is unavailable when required. The following options are available for both Primary and Failover servers.


Option

Description

Type

Select if you want to use an LDAP or an AD server to authenticate users against the directory, importing targets, and users into HIAB.

Server

Define the network location of the LDAP or AD server.

Port

Displays the default port used by LDAP or AD server when TLS encryption is enabled.

Note

Can be changed if required.

Use TLS Encryption

Must be checked if the server use TLS (Transport Layer Security) during the connection phase.

Base DN

Enter the base domain name, ex: "dc=ad,dc=local"

Note

If you have an Active Directory server, then you should also provide the Domain in a simple form like "ad.local". This is used when we supply the username in the authentication process against the active directory server.

Connect Method

Define if the connection should be Anonymous or Non-anonymous.

Note

Base DN is the domain where AD is located and Bind DN is the account which the HIAB should use to access the AD.

Bind DN

If the Connect Method is Non-anonymous, provide the domain name to use when authenticating with the server.

Bind Password

Supply the Bind Password for the above domain name.

Test LDAP/AD

Once all the required settings are supplied, check the configuration by pressing Test LDAP/AD button for respective sections.

Import and specific mapping settings for the user and target integration are located under respective settings sections.


Attribute Mapping Users
Provide the LDAP server attribute names that corresponds to the fields mentioned below.


Option

Description

Username

Your username

Firstname

Your first name

Lastname

Your last name

Email Address

Your email address

Mobile number

Your mobile number

Country

Your country name

State

Your state name


Attribute Mapping Targets
Provide the LDAP server attribute names that corresponds to the fields mentioned below. 

Option

Description

IP Address

Target IP address

Host name

Target hostname

NetBIOS

Target NetBIOS name

MAC Address

Target MAC address


LDAP/AD Configuration

Option

Description

Base DN (Users)

Enter the base domain name. This is used only when importing users.

Search filter user

Provide any phrase to filter further.

Base DN (Groups)

Enter the base domain name. This is used to import user groups when a user is authenticated.

Base DN (Targets)

Enter the base domain name. This is used only when importing targets.

Search filter target

Provide a phrase to filter further.


User Roles

The User Roles section allows you to define if roles should automatically be assigned to imported user, based on already defined group belongings in the LDAP/AD tree. If enabled, you can define a matching field on each user role in the HIAB. If they match, that user role is then automatically assigned to the imported user. The matching field is present in the Maintaining User Role section when you edit or create a new role.

Example:
HIABldab-ad02

In the above example, HIAB.Administrator is automatically assigned to users that belong to the group admin in the LDAP/AD tree.
Click Save to save the current settings. 

Integrate Users

Once the LDAP/AD feature has been enabled:

  1. Go to Main Menu > Settings > Manage Users.
  2. Click on Import from LDAP/AD in the Manage User Accounts section to open a window where you can filter which users to import into the system.


HIABldab-ad03


HIABldab-ad04
If the text is marked red as above, it implies that the user details either does not contain all required fields or it has content which is not allowed to use. Grey text indicates that the user already exists in the system.
A user is valid if the following criteria are fulfilled:

  • Username must be longer than 1 character.
  • First name must exist.
  • Last name must exist.
  • Email address must be valid.


Note

Do not use any comma sign in any of the above inputs as it is interpreted as a comma separation.

Note

If the country is omitted or not available, then it is set to the country of the logged in user. The country is used when selecting the time zone for the user so that the time is reported correctly in the GUI.


The Parent Account setting allows you to import users in different levels if required.

Note

Mapping can be changed in Main Menu > Settings > Integrations > LDAP/AD

Verify Users

Once the user is imported, you can verify the authentication and see the associated groups for that user.
Go to Manage User Accounts, right click on the user and select LDAP/AD Lookup as shown below.

HIABldab-ad05
This displays the LDAP/AD Lookup window:
HIABldab-ad06


Note

Only 10 groups are visible when doing the test authentication.

Here, you can view the different values for the user along with the defined groups associated with him/her.

Click on Test Authentication to verify the user's authentication. 

Integrate Targets

Once the LDAP/AD feature has been enabled:

  1. Go to Main Menu > Netsec > Manage Targets.
  2. Click on Import from LDAP/AD while adding +New targets.


HIABldab-ad07

This opens a new window where you can filter which targets to import into the system. If the line is marked red then the target details either does not contain all required fields, or it has content that is not allowed to use.


HIABldab-ad08

A target is valid if the following criteria is provided:

  • IP address or hostname.
  • MAC address is formatted correctly. If applicable.


If Update existing targets checkbox is ticked, the Import updates the available targets.
The Scanner option is only available if you have a distributed environment (multiple HIAB instances connected) and it determines which scanner will execute the scans against those targets associated with it.

Note

Mapping can be changed in Main Menu > Settings > Integrations > LDAP/AD.



Syslog (HIAB only)

HIAB can pass logs and findings via Syslog events, which work with virtually any other security solution in the market, custom implementation of this with a wide range of SIEMs and event correlations systems among our existing MSSPs and partners already. For example: ArcSight.

Set Up Syslog

To set up Syslog:

  1. Go to Menu > Settings > Integrations.
  2. Select the Syslog tab.

    Integration10


  3. Provide the below information to use Syslog:

    OptionDescription
    HostProvide the hostname.
    PortProvide the port that Syslog is using to communicate.
    Facility

    Choose a facility code from the drop-down menu.

    Note

    Facility code is used to specify the type of program that is logging the message.

    PrefixEnter any word that you want to add as a prefix for each line.
    ProtocolSelect one of the protocols from the drop-down menu.
    Send audit logCheck this box to receive audit log.
    ArcsightClick on this field to use the ArcSight format.
    TLSClick on this field to encrypt data. Use secure transport layer.
    CertificateUpload the certificate for the Syslog server. Only needed if TLS is enabled.
    Certificate uploadedDisplays if any certificate has been uploaded.
    StatusClick on this button to check the network connectivity.
    SaveClick on this button to save your current settings.



ArcSight (HIAB only)

ArcSight is a Syslog service developed by HP and is available at the systems which offer the Syslog feature. To date that is only HIAB.

Before enabling ArcSight in the HIAB, the ArcSight server need to be set up and configured.

Set Up ArcSight

To enable ArcSight:

  1. Go to Menu > Settings > Integrations.
  2. Select the Syslog tab.
  3. Check the Arcsight: checkbox as shown in the figure.

    Integration11

  4. Click Save.


When ArcSight is enabled, the Syslog message is built differently to fit into the ArcSight protocol.

Using ArcSight

When a Syslog event is activated, an ArcSight message is built instead of the ordinary Syslog message.

The Syslog message is sent to the ArcSight logger or the connector. When the logger shows the message, it is divided into columns that is easier to work with than the raw data.

Note

No ArcSight specific errors should occur. If the ArcSight server has errors it is due to the Syslog implementation, not the ArcSight implementation.

It is recommended that the customer uses ArcSight together with TLS. If the logger cannot work with the TLS messages, a connector is recommended to be able to do so.

There is no maintenance needed for ArcSight, but the logger or the Syslog settings must be updated if IP numbers or other information are switched.


Examples:

A Syslog Message

Risk: Script Name: "Unencrypted Remote Authentication Available - POP3" Script Id: "219784" Target: "192.168.202.6" Port: "110" BugTraq: "No bugtraq" CVSS: "6.8" New: "0" CVE: "No CVE" Family: "pop3" First Seen: "2016-11-21 11:08" Last Seen: "2016-11-24 18:06" Product: "Unencrypted Remote Authentication" Has Exploits: "false" – Medium


An ArcSight Message

dvc=192.168.202.6 spt=110 cs1Label=Script Name cs1=Unencrypted Remote Authentication Available - POP3 cs4Label=BugTraq cs4=No bugtraq cs2Label=CVE cs2=No CVE deviceCustomDate1Label=First Seen deviceCustomDate1=Nov 21 2016 11:08:00 deviceCustomDate2Label=Last Seen deviceCustomDate2=Nov 24 2016 18:08:00 msg=Script Id: 219784 New: 0 Family: pop3 Product: Unencrypted Remote Authentication Has Exploits: false



SNMP (HIAB only)

HIABs can pass events via SNMP and integrate into SIEM/Log management solutions.

Set Up SNMP

  1. To set up SNMP, go to Main Menu > Settings > Integrations.
  2. Select the SNMP tab.




  3. Provide the below information to use SNMP:

    OptionDescription
    VersionSelect either 2 or 3 depending on the SNMP version you are using.
    HostProvide the hostname.
    PortProvide the port number SNMP is using to communicate.
    Default: 162
    CommunityAdd a password that is shared by multiple SNMP agents.
    PrefixEnter any word that you want to add as a prefix for each line.
    StatusClick on this button to check the network connectivity.
    SaveClick on this button to save the current settings.



Database Connector(HIAB only)

There are other products which may require Outpost24 data to be available in a database for selection. We do not grant access to the internal database used in HIAB because it is subject to restructuring for performance and optimization, and as a security measure.

However, HIAB can be configured to set up a database connector and export findings data to external databases using Events or Report Schedules. Then, you may run your analysis or integrate external products/solutions to the external database.

When connecting to the database, you must have permissions to create tables as well as updating data.
Supported External Databases:

  • MS SQL
  • MySQL
  • PostgreSQL

Set Up Database Integration


To set up Database integration:

  1. Go to Menu > Settings > Integrations.
  2. In the Integration Settings window, select the Database tab.

    IntegrationDB01

  3. Provide the below information to set up a Database connector:

    OptionDescription
    HostProvide your hostname of your external database server.
    PortProvide the port number database connector is using to communicate.
    Database NameProvide database name of external database server to which findings data should be exported.
    Type

    Select one of the types from the drop-down menu:

    • MS SQL
    • MySQL
    • PostgresSQL

    UsernameProvide the username to authenticate against external database server.
    PasswordProvide the password to authenticate against external database server.
    Table Name

    Provide a valid name for table in the database. A new table is auto created during HIAB - DB integration process.
    You can use any special character supported by ascii,
    depending  on the type of database.

    SaveClick on the save button to save the current settings.



Thycotic

Thycotic provides a privileged account security solution and password vault. It is required to have the Thycotic Secret Server account to use the integration.

Note

Thycotic authentication can be configured on the scan policy, on the target or on the target group.

Set Up Thycotic Integration in OUTSCAN or HIAB

To set up Thycotic in OUTSCAN or HIAB:

  1. Go to Main Menu > Settings > Integrations.
  2. Select the Thycotic tab.



  3. Configure Thycotic Sever:

    OptionDescription
    EnabledClick on this field to enable Thycotic.
    NameProvide a name for this configuration. 
    URI

    Provide your Thycotic Secret server URI.

    UserProvide your Thycotic user name.
    PasswordProvide your Thycotic password.
    Organization (optional)Provide the name of the organization that should be queried in a Thycotic Cloud setup. 
    Tenant (optional)Provide the tenant for Thycotic Cloud setup.
    Ignore certificate validationIt is recommended to leave this box unchecked. Check this box only when there is no trusted certificate available.
    Test AuthenticationClick on this button to test the authentication status.
    AddClick to add the configuration settings.
  4. Click Save.

After enabling Thycotic, the authentication can be configured on a target, target group, or a scan policy.

Target / Target Group

  1. Go to Main Menu > Netsec > Manage Targets.
    1. Target: Edit a target to setup the Authentication
    2. Target Group: Right-click on a group and select Set Target Authentication
  2. Select Thycotic SMB or Thycotic SSH from the drop-down list, to use the respective authentication.

                                                                                                                                                                                                                                                                                                                                                                                            
  3. Fill in the Credentials:

    OptionDescription
    Thycotic Config

    Select the config from the drop-down list.

    Secret name

    Provide the name of the Secret. 

    Note

    When the user provides a phrase, it searches for the name matching the given phrase. The first name matched is used. ${IP} will get replaced by the target IP.  ${HOSTNAME} will get replaced by the host name of the target.

    Override path

    Provide a new path to cancel using the existing path.

    SSH substitute user command

    The use of the following commands is to execute commands with a different user/privilege escalation.

    1. sudo: This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
    2. doas: It is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
    3. sesu: It is an IBM implementation of su.
    4. dzdo: Used in Linux/Unix (can be installed at will). An alternative to sudo.
    5. pfexec: Mostly used in Solaris.
    6. custom: It gives a flexibility to use a custom defined privilege escalation command. 
    SSH custom user commandThis field is available when the user selects custom in the SSH substitute user command field. Add a custom command for escalating privilege.
    SMB allow NTLMv1Check this box to enable the authentication using NTLMv1.
    Enable remote registryIf enabled, the scanner initiates the Remote Registry service with the given details. Disable the service when the scan is finished.
  4. Click Test to start a verification.
  5. Click Save to enable the current settings.

Scan Policy

  1. Go to Main Menu > Netsec > Scan Scheduling > Scan Policy.
  2. Edit a scan policy to setup the Authentication. Under SMB and SSH tabs, Thycotic SSH and Thycotic SMB are now visible as new options.
  3. Click on any of the options to use the respective authentication.

      

  4. Provide your Credentials:

    OptionDescription
    Thycotic Config

    Select the config from the drop-down list.

    Secret name

    Provide the name of the Secret. 

    Note

    When the user provides a phrase, it searches for the name matching the given phrase. The first name matched is used. ${IP} will get replaced by the target IP.  ${HOSTNAME} will get replaced by the host name of the target.

    Override pathProvide a new path to cancel using the existing path. 
    SSH substitute user command

    The use of the following commands is to execute commands with a different user/privilege escalation.

    1. sudo: This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
    2. doas: It is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
    3. sesu: It is an IBM implementation of su.
    4. dzdo: Used in Linux/Unix (can be installed at will). An alternative to sudo.
    5. pfexec: Mostly used in Solaris.
    6. custom: It gives a flexibility to use a custom defined privilege escalation command. 
    SSH custom user commandThis field is available when the user selects custom in the SSH substitute user command field. Add a custom command for escalating privilege.
    SMB allow NTLMv1Check this box to enable the authentication using NTLMv1.
    Enable remote registryIf enabled, the scanner initiates the Remote Registry service with the given details. Disable the service when the scan is finished.
  5. To start verification, provide the target IP or Hostname and click on Test Credentials.

  6. Click Save to enable the current settings.




Azure AD

Prerequisites

An Identity Provider (IdP) offers user authentication as a service. It is a trusted provider that allows the use of single sign-on (SSO) to access other application. SSO enhances usability by reducing password fatigue as passwords are maintained on your IdP.

Set Up Identity Provider

Requirements

To enable SSO on HIAB/OUTSCAN you will have to import meta-data from your IdP into HIAB/OUTSCAN. You will also need to export the service provider’s meta-data from HIAB/OUTSCAN and import it to your IdP.

Note

While reading the response from IdP during signing in to our portal, we accept signed assertions with parameters. The parameters list which your IdP is returning in response must include your user name in a parameter. By default it is set to parameter named uid but you can set up to different parameter (eg Subject attribute).

Set up Identity Provider Integration

To set up Identity Provider:

  1. Go to Menu > Settings > Integrations > Identity Provider.



  2. Provide the below information to enable Identity Provider (IdP):
    • Enabled: Select the Enabled checkbox to enable the protocol for single sign-on trusting another source to log in.

 Use one or both of the following option to provide metadata of IdP:

    • Get metadata from file: Select Identity provider’s metadata file by clicking the + symbol beside the field.
      Metadata contains information such as how it works, what type of login is acceptable and so on.
    • Get metadata from URL: Provide a URL from which the OUTSCAN or HIAB (Service Provider) should fetch metadata from IdP.
    • Subject attribute: Enter uid string. This field cannot be left empty.

      Note

      The parameter name must be typed as expected in the SAML authentication response (one single word starting with lowercase and may include some upper cases (eg camelCase)).

    • Signature hash algorithm: Select between SHA-256 or SHA-1.

After enabling the required settings:

  1. Click Save to save the current settings.
  2. Click Reset to fully remove the current settings. This disables the integration.
    • IDP Metadata: Click this button to display the currently uploaded metadata of the Identity Provider.
    • SP Metadata: Click on this button to display the service provider’s metadata.

Getting the SP Metadata File

You will require the SP metadata file from the Outpost24 tool you wish to integrate with.

On the Outpost24 Tool

  1. Navigate to Main Menu > Settings > Integrations > Identity Provider
  2. Select the Enabled checkbox and click the SP Metadata button


Azure AD Configuration

  1. Login to https://portal.azure.com.
  2. Once in the portal, in the navigation bar search Active Directory.



Creating a new Enterprise Application

  1. In the side bar navigation select Enterprise Applications.



  2. Select the + New application button.



  3. In the Add an application screen, select Non-gallery application, and give the application a name that is recognizable and click Add. Azure will create the application ready for configuration.




Setting up Single Sign On

  1. In the Getting Started section select Setup single sign on and select the SAML option.





  2.  Select the Upload metadata file and navigate to the downloaded Outpost24 metadata file from the previous steps. This populates the fields under the Basic SAML Configuration view.



    Entity ID should show: https://<IP>/opi/XMLAPI?ACTION=SHOWSPMETADATA

    Reply URL should show: https://<IP>/opi/XMLAPI?ACTION=SAMLRESPONSE

    You will need to add the Sign on URL manually: https://<IP>/opi/XMLAPI?ACTION=SAMLRESPONSE

    Where IP is the <IP> of the Outpost24 Tool you are integrating with.

  3. Next you need to create a custom User Attribute.

    1. Click Edit under the User Attributes and Claims section.


    2. Click the + Add new Claim button.

  4. Configure the following information in the Manage Claim screen.



    Name: uid

    Namespace: can be left blank

    Source: Select the Transformation radio button

  5. In the Manage Transformation pop up view enter the following information.



    Transformation: Join()

    Parameter 1: user.givenname

    Separator: This depends on the user naming convention used in Outpost24 if a username is Firstname.Surname the separator would be a . (period).

    Parameter 2: user.surname

    As a result the UID sent to Outpost24 with the above configuration for Joe Bloggs would be Joe.Bloggs.

  6. Click the Add button. The transformation field now show the configuration you just created.

  7. Click the Save button.

  8. Return to the Outpost24 HIAB Application configuration screen.

    Email addresses cannot be used as usernames for SAML as the technology will ignore anything after an @ symbol meaning login will fail in Outpost24 Tools.

Configuring Outpost24 Tools

Under section 3 of the SAML-based Sign On screen > SAML Signing Certificate. Download the Federation Metadata XML file. You receive a XML file which is named the name of the application you have created in Azure.


You need to edit the XML to add some information for the integration to work properly.

Uploading the file in its current state will result in an error.

Within the EntityDescriptor tag, which is normally on line 1 of the XML file you will need to add an attribute validUntil and an expiration date for the integration. 

The time should be in UTC format yyyy-mm-ddThh:mm:ss

validUntil="2030-08-01T00:00:00"

Once saved, navigate to the Outpost24 Tool and go to the following location

  1. Main Menu > Settings > Integrations.
  2. Select the Get metadata from file + icon.



  3. Select the XML file downloaded from Azure.
    If the file is valid, a new tab opens with the XML file printed within the displayed window for validation.
  4. Close this tab once complete.

Verifying Integration Functionality

  1. Navigate to the login screen for the Outpost24 Tool
  2. Enter the Outpost24 username (FirstName.LastName as previously configured) of the user added to the Outpost24 Application within Azure
  3. Click single sign on and you will be redirected to login via the Azure portal.

The users AD account will need to be added to the Outpost24 Application in Azure to successfully login.