SIEM Integration

ALM supports integration with security information and event management (SIEM) tools. The following is a list of events that can be sent to SIEM:

Event Description
Account Owner Changed A managed account has had an owner added or removed.
Account Provisioned An account was successfully provisioned.
Account Requires Renewal An account is up for renewal.
Account Secret ID Changed An account's secret ID was changed.
End of Life Notification An account's End of Life action will be taken in a number of days.
External Groups Disabled Some groups in the domain were disabled in ALM during the last domain sync.
New External User Accounts have been added since the last sync and are not being managed by ALM.
New Synced User Sent a new user welcome email.
Provision Approval Step Changed A provision step requires approval.
Provision State Changed A request failed to provision.
Provision Template State Changed A provision template was updated to a new state.
Remote Worker Integration Access Error A remote worker cannot access the configured domain.
Request State Changed The state of a request has changed.
User Disabled by AD User Sync The last Active Directory Sync disabled a number of users.
Any Audit Record All audits are sent to SIEM.

Creating a SIEM Integration

To create a new integration:

  1. Click Integrations on the left-hand navigation menu and select SIEM.

    siemnav "SIEM navigation"

  2. Click Create SIEM Integration in the top right-hand corner to bring up the Add SIEM Integration window.

    newsiem "New SIEM Window"

  3. Enter a Name for the integration.

  4. Choose an Engine Pool for the integration.

  5. Enter the Server URL where ALM will send data.

  6. Click Add to bring up the Manage SIEM Integration page.

    managesiem "Manage SIEM Integration"

  7. On the Manage SIEM Integration page, click Edit to change the values for each section.

    Note: The Port and Protocol automatically fill with default values. Make sure to change the values to match your server settings. The Output Type defaults to Syslog. It can be changed to JSON or CEF.

  8. Set the Enabled toggle to Yes to activate the SIEM integration.

  9. When the integration is configured, click Test SIEM Integration in the upper right-hand corner. Clicking will immediately send ALM data to your chosen server.

Deleting a SIEM Integration

Any of the currently configured SEIM integrations, listed on the Integrations > SIEM page, can be deleted. To refine the list of currently configured integrations, use the Search field to locate a specific configuration. Use the Filters drop-down to restrict the list to All, Disabled, or Enabled configurations, as well as a specified Search Term.

To delete an existing SIEM configuration:

  1. Click the SIEM configuration to be deleted.

  2. At the Manage SIEM Integration page, click Delete. A message indicating that the configuration has been deleted is displayed.

    deletesiem " Delete SIEM Integration"