VMware AppDefense
The JSA DSM for VMware AppDefense collects events from a VMware AppDefense
To integrate VMware AppDefense with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:
Protocol Common RPM
VMware AppDefense API Protocol RPM
DSMCommon RPM
VMware AppDefense DSM RPM
Configure your VMware AppDefense to send events to JSA.
Add a VMware AppDefense log source that uses the VMware AppDefense API on the JSA Console.
VMware AppDefense DSM Specifications
The following table describes the specifications for the VMware AppDefense DSM.
Specification |
Value |
|---|---|
Manufacturer |
VMware |
DSM name |
VMware AppDefense |
RPM file name |
DSM-VMware AppDefenseJSA-version-Build_number.noarch.rpm |
Supported versions |
V1.0 |
Protocol |
VMware AppDefense API |
Event format |
JSON |
Recorded event types |
All |
Automatically discovered? |
No |
Includes identity? |
No |
Includes custom properties? |
No |
The JSA DSM for VMware AppDefense collects events from a VMware AppDefense system.
Configuring VMware AppDefense to Communicate with JSA
To send events to JSA from your VMware AppDefense system, you must create a new API key on your VMware AppDefense system.
Ensure that you have access to the Integrations settings in the VMware AppDefense user interface so that you can generate the Endpoint URL and API Key that are required to configure a log source in JSA. You must have the correct user permissions for the VMware AppDefense user interface to complete the following procedure:
Log in to your VMware AppDefense user interface.
From the navigation menu, click the icon to the right of your user name, and then select Integrations.
Click PROVISION NEW API KEY.
In the Integration Name field, type a name for your integration.
Select an integration from the Integration Type list.
Click PROVISION, and then record and save the following information from the message in the window that opens. You need this information when you configure a log source in JSA:
EndPoint URL
API Key - This is the Authentication Token parameter value when you configure a log source in JSA.
Note:If you click OK or close the window, the information in the message can't be recovered.
VMware AppDefense API Log Source Parameters for VMware AppDefense
If JSA does not automatically detect the log source, add a VMware AppDefense log source on the JSA Console by using the VMware AppDefense API protocol.
When using the VMware AppDefense API protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect VMware AppDefense API events from VMware AppDefense:
Specification |
Value |
|---|---|
Log Source Type |
VMware AppDefense |
Protocol Configuration |
VMware AppDefense API |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your VMware AppDefense devices. |
Endpoint URL |
The endpoint URL for accessing VMware AppDefense. Example revision: https://server_name.vmwaredrx.com/partnerapi/v1/orgs/<organization ID> |
Authentication Token |
A single authentication token that is generated by the AppDefense console and must be used for all API transactions. |
Use Proxy |
If JSA accesses the VMware AppDefense API by using a proxy, enable Use Proxy. If the proxy requires authentication, configure the Hostname, Proxy Port, Proxy Username, and Proxy fields. If the proxy does not require authentication, configure the Hostname and Proxy Port fields. |
Automatically Acquire Server Certificate(s) |
If you choose Yes from the drop down list, JSA automatically downloads the certificate and begins trusting the target server. If No is selected JSA does not attempt to retrieve any server certificates. |
Recurrence |
Beginning at the Start Time, type the frequency for how often you want the remote directory to be scanned. Type this value in hours(H), minutes(M), or days(D). For example, 2H if you want the directory to be scanned every 2 hours. The default is 5M. |
EPS Throttle |
The maximum number of events per second. The default is 5000. |
VMware AppDefense Sample Event Messages
Event name |
Low level category |
Sample log message |
|---|---|---|
Inbound Connection Rule Violation |
Firewall Deny |
{"id":1111111,"createdAt":1512009263.471000000,"remed
iation":
{"id":1111111},"severity":"CRITICAL","lastReceivedAt"
:1516170726.957000000,"count":2,"status":"UNRESOLVED"
,"violationDetails":
{"processHashSHA256":"1000000000000000000000000000000
000000000000000000000000000000000","processHash":"100
00000000000000000000000000000","cli":"<cli>","localPo
rt":"<24","processPath":"","alert":"INBOUND_CONNECTIO
N_RULES_VIOLATION","localAddress":"192.0.2.0","ipProt
ocol":"tcp","preEstablishedConnection":"FALSE"},"viol
atingVirtualMachine":
{"id":1111111,"vmToolsStatus":"TOOLS_NOT_RUNNING","vc
enterUuid":"11111111-1111-1111-1111-111111111111","vm
Uuid":"11111111-1111-1111-1111-111111111111","ipAddre
ss":"192.0.2.0”,"osType":"WINDOWS","vmManageabilitySt
atus":"HOST_MODULE_ENABLED_AND_GUEST_MODULE_MISSING",
"guestAgentVersion":"1.0.1.0","macAddress":"<MacAddre
ss>","guestId":"windows8","healthStatus":"CRITICAL","
service":
{"id":00000},"vmId":"1","guestAgentStatus":"Disconnec
ted","guestName":"Microsoft
Windows","guestStatus":"POWERED_OFF","name":"<name>",
"hostName":"<Hostname>"},"violatingProcess":
{"processReputationProfile":null,"fullPathName":"Syst
em","<System>":"<System>","process256Hash":"100000000
00000000000000000000000000000000000000000000000000000
00","processMd5Hash":"1000000000000000000000000000000
0"},"subRuleViolated":null,"ruleViolated":"INBOUND_CO
NNECTION"}
|
Outbound Connection Rule Violation |
Firewall Deny |
{"id":10101001,"createdAt":1512009263.495000000,"reme
diation":
{"id":1551519},"severity":"CRITICAL","lastReceivedAt"
:1516224258.818000000,"count":00001,"status":"UNRESOL
VED","violationDetails":
{"processHashSHA256":"0000000000000000000000000000000
000000000000000000000000000000","processHash":"000000
0000000000000000000000000","cli":"C:\
\<path>,"alert":"OUTBOUND_CONNECTION_RULES_VIOLATION"
,"localAddress":"192.0.2.0","remotePort":"24","ipProt
ocol":"udp","preEstablishedConnection":"FALSE","remot
eAddress":"0000::0:0"},"violatingVirtualMachine":
{"id":101010,"vmToolsStatus":"TOOLS_NOT_RUNNING","vce
nterUuid":"11111111-1111-1111-1111-111111111111","vmU
uid":"11111111-1111-1111-1111-111111111111","ipAddres
s":"192.0.2.0","osType":"WINDOWS","vmManageabilitySta
tus":"HOST_MODULE_ENABLED_AND_GUEST_MODULE_MISSING","
guestAgentVersion":"1.0.1.0","macAddress":"<MacAddres
s>","guestId":"windows8","healthStatus":"CRITICAL","s
ervice":
{"id":28486},"vmId":"1","guestAgentStatus":"Disconnec
ted","guestName":"Microsoft
Windows","guestStatus":"POWERED_OFF","name":"<name>",
"hostName":"<host>"},"violatingProcess":
{"processReputationProfile":{"processFileInfo":
{"md5":"000000000000000000000000000000","sha256":"000
00000000000000000000000000000000000000000000000000000
000","container":false,"executable":true,"ssdeep":"10
0:THGFJFJFHJY7y86gHK7GHk7ghjgkghjk","fileSizeBytes":1
,"peFormat":true,"firstSeenName":"<fileName>","sha1":
"000000000000000000000000000000000000","crc32":null},
"peHeaderMetadata":{"companyName":"Microsoft
Corporation","productName":"Microsoft
Windows,"version":null,"originalName":"<host>","descr
iption":"<description>","fileVersion":"192.0.2.0,"cod
ePage":null,"productVersion":"6.3.9600.17415","langua
ge":"English (U.S.)"},"certificate":
{"commonName":"Windows","certificateexinfo":
{"thumbprint":"00000000000000000000000000000000000000
0000000","issuerThumbprint":"000000000000000000000000
000000000","serialNumber":null,"validToDate":14376041
40.000000000,"validFromDate":1398205740.000000000,"pu
blisher":null,"name":null}},"trust":10,"threat":0},"f
ullPathName":"C:\
\<path>","process256Hash":"00000000000000000000000000
0000000000000000000000000000000000","processMd5Hash":
"000000000000000000000000000000000"},"subRuleViolated
":null,"ruleViolated":"OUTBOUND_CONNECTION"}
|