Syslog - MistNet NDR

Device Details

Device Name	MistNet NDR
Vendor	MistNet
Device Type	MistNet
Supported Model Name/Number	N/A
Supported Software Version(s)	2021.07.1
Collection Method	Syslog
Configurable Log Output	No
Log Source Type	Syslog - MistNet NDR
Log Processing Policy	LogRhythm Default v2.0
Exceptions	N/A
Additional Information	N/A

Type	Product Version	Supported Schema Fields
Catch All	N/A	<vmid>, <vendorinfo>, <subject>, <threatid>, <status>
MN: Case And Incident Messages	N/A	<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <dname>, <sport>, <dport>, <protname>, <account>, <domainimpacted>,<subject>, <threatname>, <threatid>, <url>, <reason>, <status>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <duration>

To configure MistNet NDR for SIEM integration, do the following:

Login to MistNet NDR.
From the Dashboard, click Settings, then SIEM, and then Syslog Configuration.
The Syslog IP Configuration screen appears.
In the Syslog Server IP field, enter the LogRhythm System Monitor Agent server's IP Address.
In the Port field, enter 514.

MistNet Syslog sends logs via TCP Port 514.
Click Update.

To configure the notification type and score threshold, do the following:

Login to MistNet NDR.
From the Dashboard, click Settings, then SIEM, and then Syslog Notifications.
The Notifications screen appears.
Configure the notification type by checking any of the following boxes:
- Per Incident
- Per Policy
- Per Case
- Per Test
Enter a value in the Score Threshold field to configure the notification score threshold.

Notification logs are sent for cases and incidents with scores that are greater than or equal to the entered value.
Click Update.

MistNet NDR parsing performance is expected to be around ~500mps.

KB Version	Log Type	Change Type	Details
KB 7.1.625.0	Syslog - MistNet NDR	New Log Source Type	New Device: Syslog - MistNet NDR