Appendix

This section provides supplemental information.

Enable Support for TLS 1.2 at the Client Workstation for Microsoft Entra ID

To improve the security posture of the tenant, and to remain in compliance with industry standards, Microsoft Entra ID stopped supporting the following Transport Layer Security (TLS) protocols and ciphers:

TLS 1.1
TLS 1.0
3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

In order for the HaloCAD for CAD add-on to be able to authenticate to Microsoft Entra ID, TLS 1.2 must be activated on the respective client workstation. Please see this Microsoft article to enable TLS 1.2.

Microsoft documentation

The information in the Microsoft documentation overrides any information published in this section.

Secude is not liable for changes to the content of this section because it was extracted from the Microsoft article at the time when the HaloCAD manual was prepared. Do check the most recent updates in this regard from the Microsoft documentation.

In summary, the following steps must be performed:

Update the Windows Operating System
Update .NET Framework
Set the following registry settings:

S.No

Windows Registry

Values

1

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

Registry entries

Open-source Software

Third-party software/code is included or bundled with Secude's products according to its appropriate license. Secude conducts testing to make sure the third-party products are compatible with and perform as intended with Secude applications.

The third-party libraries and dependencies used by HaloCAD for SOLIDWORKS PDM are shown in the table below.

Library	Version	Source Code	License Link
Mhook	2.5.1	https://github.com/apriorit/mhook	https://github.com/apriorit/mhook#license
Protobuf Library	3.15.6	https://github.com/protocolbuffers/protobuf	https://github.com/protocolbuffers/protobuf/blob/master/LICENSE
JSON Parser	3.11.3	https://github.com/nlohmann/json	https://github.com/nlohmann/json/blob/develop/LICENSE.MIT
OpenSSL	1.1.1	https://github.com/openssl	https://github.com/openssl/openssl/blob/master/LICENSE.txt
tbb	2018_20180618oss	https://github.com/oneapi-src/oneTBB	https://github.com/dwaddington/tbb-2018/blob/tbb_2018/LICENSE
MSAL	4.36.1	https://github.com/AzureAD/microsoft-authentication-library-for-dotnet	https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/master/LICENSE
WTL	9.0.4140	https://www.nuget.org/packages/wtl/9.0.4140	https://opensource.org/licenses/cpl1.0.txt

Open-source software

Metadata Definition

The SOLIDWORKS PDM metadata in the HaloENGINE is listed in the table below.

SOLIDWORKS PDM Metadata	Use
author_name	Derivation from the Web2 client interface Items author.
domain_name	Derivation from the network domain name associated with the current user. (For example, `SZVLU100.com`)
file_type	Derivation from file type. File types of SOLIDWORKS.
user_name	Derivation from machine logged-on user. (For example, John and Derek)
client_hostname	Derivation from the computer where SOLIDWORKS PDM is installed. (For example, `SZVLU100.com`)
current_state	Derivation from the file's status as set in SOLIDWORKS PDM. (For example, Approved and Waiting for approval)
project_name	The name of the project from which the saved file is derived. (For example, CMS Turbo Engine)
ad_group	Derivation from the domain groups. (For example, Domain Users and Superusers)
folder_path	Derivation from folder name in SOLIDWORKS PDM server. (For example, `C:/<Folder>`). Please note that files cannot be encrypted if the folder name (`folder_path`) is specified with a backslash "\", such as `C:\folder1\folder2`. Therefore, it is advised to configure with a forward slash "/”, such as `C:/folder1/folder2`.
preexpression_custom_pre-expression	Derivation from custom pre-expression Yes No

SOLIDWORKS PDM Metadata

Download Log Definition

This section explains the log definition for every log format that HaloENGINE supports.

What is SIEM Integration?

SIEM, which stands for Security Information and Event Management, is a comprehensive approach to managing an organization's security information and events. SIEM integration refers to the process of incorporating SIEM solutions into an organization's existing IT infrastructure to enhance its ability to monitor, detect, and respond to security incidents. To support this approach, HaloENGINE transmits logs in JavaScript Object Notation (JSON), Log Event Extended Format (LEEF), and Common Event Format (CEF).

Common Event Format is an open log management standard developed by HP ArcSight. CEF comprises a standard prefix and a variable extension that is formatted as key-value pairs.
Log Event Extended Format is a customized event format for IBM Security QRadar. LEEF comprises a LEEF header, event attributes, and an optional Syslog header.
JavaScript Object Notation is a lightweight text-based open standard designed for human-readable data interchange.

These logs are forwarded to the communications module, which transmits them to your collection server via UDP or TCP. Ideally, a SIEM (Microsoft Azure Sentinel, Splunk, RSA, and others) server would scan the received messages, sort them, and alert your security team.

Forwarding logs

Why CEF Standard?

The CEF format is an open log management standard that simplifies log management. CEF allows third parties to create their device schemas that are compatible with a standard that is used industry-wide for normalizing security events. Technology companies and customers can use the standardized CEF format to facilitate data collection and aggregation, for later analysis by an enterprise management system. CEF is an extensible, text-based format designed to support multiple device types by offering the most relevant information. It defines the syntax for log records consisting of a standard header and a variable extension, formatted as key-value pairs.

Syslog and CEF Header

The data is normalized and categorized into the ArcSight CEF for easy correlation and analysis. CEF uses Syslog as a transport mechanism. It uses the following format, consisting of a Syslog prefix, a header, and an extension, as shown below. If an event producer is unable to write Syslog messages, it is still possible to write the events to a file.

Prefix │ Header │[Extension]

CEF format

CEF format sample

Format	Description	Example
Prefix	Syslog applies a prefix to each message, no matter which device it arrives from, that contains the date and hostname.	`10:29:48.486`
Header	Version is an integer and identifies the version of the CEF format. The current CEF version is 0 (CEF:0).	`CEF:0`
	Device Vendor, Device Product, and Device Version are strings that uniquely identify the type of sending device.	`\|Secude\|HaloCAD\|6.8.0.0\|`
	Device Event Class ID is a unique identifier per event-type. This can be a string or an integer. Device Event Class ID identifies the type of event reported.	`100` (User download)
Extension	The Extension field contains a collection of key-value pairs. The keys are part of a predefined set. The standard allows for including additional keys as outlined in "ArcSight Extension Dictionary”. An event can contain any number of key-value pairs in any order, separated by spaces (""). If a field contains a space, such as a filename, this is valid and can be logged in exactly that manner. Secude uses only Standard Key Names from ArcSight Extension Directory and no custom extensions. The reason for that is to avoid significant limitations custom extensions will cause.	Please refer to the following table.

CEF Header details

14:13:47.207 CEF:0|Secude|HaloCAD|6.8.0.1|999|Export Event|1|deviceCustomDate1Label=exportTime deviceCustomDate1=Apr 10 2025 11:13:45 UTC externalId=D0B08A59D0BA444A911BE22597E09E25 deviceCustomDate2Label=logTime deviceCustomDate2=Apr 10 2025 12:13:47 UTC act=unblocked;labeled;protected fname=Part2.SLDPRT filePath=C:\Vault\TEST2025\PDM\CADFiles fileType=SLDPRT fsize=60146 in=95082 shost=SWPDM_CLIENT_ID duser=secude-swepdm.com\Solidworks,type:SOLIDWORKS_PDM dst=null requestClientApplication=[null] cs2Label=DataDestination cs2=[ platform\=[Unknown], browser\=[], browser_version\=[null], device_type\=[null], terminal_id\=[WSLU0305.secude-swepdm.com], destination_attributes\=[{ key\=[], value\=[], type\=[] }] ] cs3Label=DataOrigin cs3=[ source_type\=[PLM], system_name\=[SWPDM_CLIENT_ID], client_type\=[SOLIDWORKS_PDM], plm_info\=[{ key\=[project_name], value\=[PROJECT NAME], type\=[] }, { key\=[current_state], value\=[Under Editing], type\=[] }, { key\=[ad_group], value\=[], type\=[] }]] cs4Label=ClassifyProtectionData cs4=[ policy_id\=[d7e95033-e7f1-4218-8941-7d60d8e9cf69], policy_name\=[CADSecured], policy_type\=[company_policy], error\=[false], author\=[HaloCAD SOLIDWORKS PDM] ]

CEF sample

Why LEEF Standard?

The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar that contains readable and easily processed events for QRadar.

Syslog and LEEF Header

The LEEF format consists of a Syslog header, a LEEF header, and event attributes. The Syslog header is an optional field. The Syslog header contains the timestamp and IPv4 address or hostname of the system that sends the event. The LEEF header is a required field for LEEF events. The LEEF header is a pipe delimited (|) set of values that identifies your software or appliance to QRadar. Event attributes identify the payload information of the event that is produced by your appliance or software. Every event attribute is a key-value pair with a tab that separates individual payload events.

Syslog Header │ LEEF Header │[Event Attributes]

LEEF format

14:18:49.794 LEEF:2.0|Secude|HaloCAD|6.8.0.1|999|^|exportTime=Apr 10 2025 11:18:47 UTC^eventName=Export Event^externalId=A954616DC855412FB2FA165D086C22BC^logTime=Apr 10 2025 12:18:49 UTC^act=unblocked;labeled;protected^fname=Part2.SLDPRT^filePath=C:\Vault\TEST2025\PDM\CADFiles^ftype=SLDPRT^fsize=60146^fdwnsize=95082^shost=SWPDM_CLIENT_ID^usrName=secude-swepdm.com\Solidworks,type:SOLIDWORKS_PDM^dst=null^usrAgent=[null]^dataDestination=[ platform=[Unknown], browser=[], browser_version=[null], device_type=[null], terminal_id=[WSLU0305.secude-swepdm.com], destination_attributes=[ {key=[], value=[], type=[]} ] ]^dataOrigin=[ source_type=[PLM], system_name=[SWPDM_CLIENT_ID], client_type=[SOLIDWORKS_PDM], plm_info=[ {key=[project_name], value=[PROJECT NAME], type=[]}, {key=[current_state], value=[Under Editing], type=[]}, {key=[ad_group], value=[], type=[]} ] ]^classifyProtectionData=[ policy_id=[d7e95033-e7f1-4218-8941-7d60d8e9cf69], policy_name=[CADSecured], policy_type=[company_policy], error=[false], author=[HaloCAD SOLIDWORKS PDM] ]

LEEF sample

Format	Description	Example
Syslog Header	The Syslog header contains the timestamp.	`17:10:28.743`
LEEF Header	LEEF:version	An integer value that identifies the major and minor version of the LEEF format that is used for the event, for example, `LEEF:2.0\|Vendor\|Product\|Version\|EventID\|`
	Product name	A text string that identifies the product that sends the event log to QRadar, for example, `LEEF:2.0\|Secude\|HaloCAD\|6.8.0.0\|100\|`
	Product version	A string that identifies the version of the software or appliance that sends the event log, for example, `LEEF:2.0\|Secude\|HaloCAD\|6.8.0.0\|100\|`
	EventID	A unique identifier for an event.
	Delimiter Character	Pipe Specifies an alternative delimiter to the attributes. You can use a single character or the hex value for that character. The hex value can be represented by the prefix 0x or x, followed by a series of 1-4 characters (0-9A-Fa-f).
Event Attributes	Predefined Key Entries	A set of key-value pairs that provide detailed information about the security event. Each event attribute must be separated by a tab or the delimiter character, but the order of attributes is not enforced.

LEEF Header details

Why JSON Standard?

The JSON format is a lightweight text-based interchange format used for serializing and transmitting structured data over the network connection. Furthermore, it supports Security Information and Event Management solutions (e.g., Microsoft Azure Sentinel, Splunk, etc.,) seamlessly.

JSON syntax is considered as a subset of JavaScript syntax; it includes the following:

Data is represented in name/value pairs.
Curly braces hold objects and each name is followed by ':'(colon), the name/value pairs are separated by ','(comma).
Square brackets hold arrays and values are separated by ','(comma).

14:31:39.482 {"log_id":"5522AE0F181247E6AA0B204C3A8A045F","product":"HaloCAD","source_host":{"shost":"SWPDM_CLIENT_ID"},"protection":{"policy_id":"d7e95033-e7f1-4218-8941-7d60d8e9cf69","extended_tags":[],"policy_name":"CADSecured","error":false},"destination_info":{"hostname":"WSLU0305.secude-swepdm.com","destination_attributes":[{"type":"","value":"","key":""}],"destination_ip":"null","os":"Unknown","recipients":[],"browser":"null","device_type":"null","browser_version":"null","user_agent":"null"},"classification":{"classification_by_system":[],"classification_by_user":[]},"version":"6.8.0.1","log_time":"Apr 10 2025 12:31:39 UTC","event_id":999,"data_origin":{"generic_info":"null","sap_info":"null","system_name":"SWPDM_CLIENT_ID","pre_process_info":[],"source_type":"PLM","client_type":"SOLIDWORKS_PDM","plm_info":[{"type":"","value":"PROJECT NAME","key":"project_name"},{"type":"","value":"Under Editing","key":"current_state"},{"type":"","value":"","key":"ad_group"}],"bi_info":"null"},"user_info":{"user_email":"HaloCAD SOLIDWORKS PDM","user_type":"SOLIDWORKS_PDM","user_name":"secude-swepdm.com\\Solidworks"},"file_info":{"file_path":"C:\\Vault\\TEST2025\\PDM\\CADFiles","file_name":"Part2.SLDPRT","file_type":"SLDPRT","download_file_size":95082,"original_file_size":60146},"action":["unblocked","labeled","protected"],"export_time":"Apr 10 2025 11:31:37 UTC","event":"Export Event"}

JSON sample

Uninstalling the HaloCAD for SOLIDWORKS PDM

When you no longer use HaloCAD for SOLIDWORKS PDM, you may uninstall the application. Uninstalling removes all files and registry settings that were added to your computer during the initial installation.

Method #1

Click Start menu > go to Control Panel > Programs > Programs and Features > Uninstall a Program > select HaloCAD for SOLIDWORKS PDM application from the list > right-click and select Uninstall option or double-click on the installer HaloCAD_SWPDM_Setup.exe file.
Depending on your Windows security settings, you may get a security warning as "Do you want to allow the following program to make changes to this computer?". If you get this security warning, click the Yes button to confirm that you want to uninstall the add-on.
The warning message shown below will appear.
Uninstall Message #1
Uninstalling HaloCAD for SOLIDWORKS PDM (Explorer plug-in) requires your computer to restart to confirm that all files have been completely removed.
1. By selecting Yes, your computer will restart immediately after removing the HaloCAD component.
2. By selecting No, the HaloCAD component will be uninstalled, but you must restart your computer manually later.
The following notification will ask you to confirm the uninstall, whether you have chosen Yes or No in the previous message.
Uninstall Message #2
Click Yes to begin the uninstallation. If you choose No, the uninstalling process will end.
The following confirmation message will appear.
Uninstall Message #3
The HaloCAD component has been uninstalled successfully. Click OK to close the dialog.
Please be patient while your system restarts.

Method #2

The following is an example of uninstalling the HaloCAD for SOLIDWORKS PDM using the command line.

Open a command prompt.
Navigate to the add-on installer directory.
Example: HaloCAD_SWPDM_Setup.exe -uninstall -silent true
The uninstalling process is complete.