SOCFortress Integrations — WatchGuard Panda Adaptive Defense 360

SOCFortress
4 min readAug 3, 2024

--

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of WatchGuard Panda Adaptive Defense 360 security events using a single pane of glass.

About WatchGuard Panda Adaptive Defense 360

WatchGuard Panda Adaptive Defense 360 is a comprehensive endpoint protection and cybersecurity solution offered by WatchGuard Technologies in partnership with Panda Security.

It’s designed to provide advanced security measures for endpoints, including computers, laptops, servers, and mobile devices. The solution aims to protect against a wide range of cyber threats.

Key features and aspects of WatchGuard Panda Adaptive Defense 360:

  • Endpoint Protection: The solution includes traditional antivirus and antimalware features to prevent and detect known threats such as viruses, malware, and spyware.
  • Behavioral Analysis: Adaptive Defense 360 uses behavioral analysis to monitor the behavior of applications and processes on endpoints. This proactive approach helps identify zero-day threats and advanced attacks that might not have known signatures.
  • Application Control: The solution allows administrators to manage and control the applications running on endpoints. This can help prevent the execution of unauthorized or potentially malicious software.
  • Zero-Trust Application Service: This feature verifies the legitimacy and safety of applications running on endpoints, ensuring that only trusted applications are allowed to execute.
  • Cloud-based Management Console: The centralized management console allows administrators to monitor and manage the security of all endpoints from a single interface. It provides real-time visibility into endpoint status and threats.
  • Ransomware Protection: Adaptive Defense 360 might include specific features to detect and prevent ransomware attacks, a common and damaging type of threat.

Ingesting Defense 360 EndPoint Events

WatchGuard SIEMFeeder can send WatchGuard Endpoint Security data to a SIEM platform.

Before SIEMFeeder sends the data, SIEMFeeder takes the data and enriches it with security intelligence. SIEMFeeder then creates a single data flow to deliver the data to a compatible SIEM server.

Administrators can use this data to help detect unknown threats, targeted attacks, and advanced malware. The data provides in-depth visibility of activity processes that run across the network structures of an organization. SIEMFeeder acts as a link between the protection software installed on your company computers and the SIEM server of your company.

The SIEMFeeder architecture consists of these components:

  • Computers on the network: Computers on the network that are protected by Endpoint Security products.
  • WatchGuard Cloud Infrastructure: The WatchGuard Cloud infrastructure stores data from the processes that run and analyzes the data to extract security intelligence.
  • SIEMFeeder service: The SIEMFeeder service collects events and security data and encapsulates the data in the form of log files.
  • Microsoft Azure infrastructure: Azure is a cloud computing platform that receives logs from the SIEMFeeder service and stores them for collection.
  • Event Importer: A computer on the customer network that runs Event Importer and downloads the available logs from the Azure infrastructure.
  • Kafka server (optional): A computer on the customer network that manages the queue of logs it receives from Event Importer and sends them to the company SIEM server.
  • Syslog server (optional): A computer on the customer network that collects the logs it receives from Event Importer and sends them to the company SIEM server.
  • Shared folder (optional): A storage system on the MSSP’s network where Event Importer deposits the logs in the absence of more advanced resources, such as a Syslog or Kafka server.
  • SIEM server: SIEM server is a customer server that receives the data that Event Importer downloads and generates dashboards that help detect suspicious processes that can pose a security threat.

About Event Importer

WatchGuard Event Importer is an application that you can use to download data that the WatchGuard SIEMFeeder service generates from computer process activity on the network.

Based on the settings that you configure, Event Importer can import, decompress, and save these data log files to a folder on your computer or send the files to a compatible server (Apache Kafka or syslog).
Configuration (Reference): https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Endpoint-Security/security-modules/siemfeeder/siemfeeder-install-config.html

Visualizations

Panda360 — Alerts

Panda360 — Alerts by EPP / Policy Action

Panda360 — Alerts by type

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).