Search another article?
Manual – Introduction
SGBox is a modular SIEM platform for ICT security control and management. Its distributed architecture allows you to adapt its use to different business needs. With SGBox you can generate aggregate views with the information collected from the various modules. The data coming from the collection of system and application logs, once analyzed, feeds a correlation engine capable of generating automatic alarms and countermeasures when potential cyber incidents occur.
SGBox is provided as a virtual appliance (in Open Virtualization Format or Microsoft HyperV format) or physical. The main interface is accessible via HTTPS via a common web browser
(Safari, Mozilla Firefox, Google Chrome, Microsoft Edge).
Below are the modules that can be enabled in the SGBox (normally included in the PoC
- SCM – Security Control Manager
- LM – Log Management
- LCE – Log Correlation Engine
- NVS – Network Vulnerbility Scanner
- SM – System Monitoring
The Log Management (LM) module collects any log format from data sources (servers, endpoints, network equipment, applications, etc.). The collected logs (in rawformat) are normalized through special patterns,encrypted and signed (the signature allows the attribution of a timestamp) to ensure their unalterability. The events generated through the application of the patterns offer the possibility to search online taking advantage of the many functions present, obtaining answers quickly.
Each module shares the information with the other modules (feeding the centralized data storage) and with the SCM component, that is, the web console, which also allows the installation of applications (available in the appropriate repository). Applications extend platform functionality while also allowing integration with some vendors (including through REST API).
SGBox can take advantage of the use of the manifold, a pre-installed virtual machine that allows the creation of distributed architectures (single and multi-tenant) acting as a log aggregation center. The collector compresses the collected data and finally communicates it to the appliance through an encrypted channel (HTTPS). The manifold is required in the presence of the Network Vulnerability Scanner (NVS) module, if you want to use the OpenVAS open source engine. The use of the manifold is also necessary when SGBox is configured in multi-tenant mode. The scan engine is already present on the manifold and can be easily configured to communicate with the SCM module and allow scanning of the assets (host groups) created within the platform.
The following images reproduce the simplified architecture of the solution in both centralized and distributed mode (the latter involves the use of the virtual manifold):
The minimum hardware requirements are shown in the following table:
|Virtual Machine Type||Ram||Core||HDD|
|Appliance||8 GB||12||100 GB|
|Collector||4 GB||2||30 GB|
Table 1: SGBox hardware requirements (appliance and manifold)
The disk size assigned to the OVF image can be modified by command-line interface by following the steps at the following address:
The size of the collector disk is predefined and cannot be changed.