Jscrambler 101 — SIEM Integration

Welcome back to Jscrambler 101! A collection of tutorials on how to use Jscrambler to protect your JavaScript. This tutorial covers Jscrambler version 7.2.

Introduction

Last time, on Jscrambler 101 — Memory Protection, we explored a new Jscrambler feature that ciphers sensitive data using cryptographic algorithms, only allowing the data to be deciphered when it needs to be accessed by the application.

This time, we’re going to explore SIEM Integration, a new Jscrambler feature that allows you to forward and aggregate the valuable security Information Jscrambler gives you into a SIEM (e.g. Elasticsearch, Splunk).

SIEM Integration

From Jscrambler version 6.0 onwards, we provide a JavaScript Threat Monitoring module that displays a real-time notification on the Jscrambler dashboard as soon as some kind of violation occurs, such as the client’s JavaScript code being tampered with or used in a different environment or date from the one(s) that are set on the protection configuration.

Now, with the SIEM Integration, you can easily access all that valuable information from one place and automate the process of looking at audit logs and alerting.

Setting up your SIEM Integration

To set up the integration between Jscrambler and your SIEM, you need to to configure a Jscrambler notification driver and map the fields of the notification body. Let’s explore these steps below.

To access the SIEM Integrations page, you need to go to the Jscrambler dashboard, select the target application, and then click on the “Integration” link under the Setup section.

Currently, we provide two types of drivers that your SIEM will most likely be compatible with: Elasticsearch and Webhook. Below, we will explore how to set things up in each of these.

Elasticsearch

To set up real-time notifications with an Elasticsearch instance, you need to select the Elasticsearch Notification driver on the dropdown box and click on the “Add” button.

Then, you will need to configure the following parameters according to your Elasticsearch setup:

• Title: Name of this integration
• URI: Network endpoint of your Elasticsearch instance (must be publicly available)
• Accept All Certificates: turn on to allow self-signed certificates
• Username/Password: client authorization to the Elasticsearch instance
• Request Timeout (milliseconds): maximum amount of time waiting for the request to be completed
• Max. Number of Retries: number of times the service attempts to deliver the Real-Time Notification once the first attempt fails
• Elasticsearch Index: name of the Elasticsearch index where your notifications will be grouped
• Elasticsearch Type: name of the Elasticsearch type

When you are done, you just need to click on the Create button to validate and store the configured Elasticsearch integration.

Webhook

To set up real-time notifications with a Webhook, you need to select the Webhook Notification driver on the dropdown box and click on the “Add” button.

Then, you need to configure the following parameters according to your SIEM (should be capable of receiving HTTP(S) requests):

• Title: Name of this integration
• Endpoint to send a POST Request: Network endpoint of your HTTP(S) server instance (must be publicly available)
• Basic Authentication Username/Password: client authorization to the HTTP(S) server
• Support Self-Signed Certificates: turn on to allow self-signed certificates
• Max. Number of Retries: number of times the service attempts to deliver the Real-Time Notification once the first attempt fails

When you are done, just click on the Create button to validate and store the configured webhook integration.

And that’s all from the Jscrambler dashboard! Let’s now see how you can map the notification body to the respective security alerts.

Mapping the notification body

Each real-time notification sent by Jscrambler will follow the pattern below:

{
  "title": "Real time notification",
  "description": "Code violation: j-003-00001",
  "body": {
	"0": "j-003-00001",
	"1": 1625757006491,
	"2": -60,
	"3": "Linux x86_64",
	"4": "Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
	"5": "https://example.com/index.html",
	"8": "Gecko"
  },
  “clientIp”: “111.111.111.111”
}

To properly visualize this data in your SIEM, you should map these fields to their corresponding descriptions.

Here’s the meaning of each field from the request’s body:

As for the alert codes of body[“0”], find the corresponding alert description below:

And that’s it! You’re done with the required configuration.

End Result

Now that you have set up your SIEM integration, you should be able to see the real-time notifications in your SIEM. In the image below, you can see a preview of the resulting dashboard using Kibana.

Now that you have centralized your security information in one system, it is easier to start automating your audit logs and alerting checkups.

Conclusion

And now we have reached the end of our Jscrambler SIEM Integration tutorial.

As you saw, getting started with this feature is a very simple, one-time process that will enrich your SIEM with valuable information. So don’t miss this chance to start centralizing your security information and make it easier to maintain in-depth security.

Feel free to proceed to one of our next 101 Tutorials:

• Jscrambler 101 — First Use
• Jscrambler 101 — Code Annotations (Code Performance)
• Jscrambler 101 — Self Defending
• Jscrambler 101 — Control Flow Flattening
• Jscrambler 101 — Code Locks
• Jscrambler 101 — How to use the CLI
• Jscrambler 101 — Source Maps
• Jscrambler 101 — Countermeasures
• Jscrambler 101 — Self-Healing
• Jscrambler 101 — Profiling (Code Performance)
• Jscrambler 101 — App Classification
• Jscrambler 101 — Memory Protection

And don't forget to check our Documentation, which may be very useful when getting started.

Enjoy your testing and start protecting your Applications ASAP! If you have any additional questions, feel free to contact us.