ProxySG DataSource was configured using https through SpanVA to CloudSOC
Logs had been successfully uploaded and processed in CloudSOC Audit for about a year
Contacts configured in CloudSOC DataSource receive an email (similar to this below) stating that no new data has been received.
This is to notify that no new data has been received for the following datasources:
Preliminary Investigation in SpanVA:
Upper left corner - SpanVA Active / Green connected to CloudSOC
Diagnostics Tab / Click on "Generate Diagnostics" - All items green
Certificates Tab / Server: Active Server Certificate expired recently
SpanVA Active Server Certifcate expired causing ProxySG datasource to be unable to upload logs to SpanVA.
Client follow this Tech Doc to create a new self-signed server certificate using Windows or Linux OpenSSL utility:
Note: During SSL certificate creation when prompted to provide FQDN or IP Address - recommend to use SpanVA's IP Address.
(As of 02/01/23 - using FQDN may not work)
Upload new SpanVA Server Cert to ProxySG following this Tech Doc:
Proxy SG Admin can check if handshake is completing, perform a test upload to SpanVA, view Traffic Capture, determine if logs are successfully getting sent to SpanVA
When new logs are confirmed being sent from ProxySG, and after sufficient time has passed, maybe 5-10 minutes
In SpanVA "Monitoring" Tab. Scroll to bottom. Look for new logs being received from DataSource
Logs getting from SpanVA to CloudSOC, processed there, appearing in CloudSOC Audit, may take up to 6 hours to process
Using FQDN for creating SpanVA self-signed Server Certs will be tested, and if any issue found, addressed in next SpanVA version.