SIEM

SIEM integrations are viewable and actionable from the Administration menu on the Home page. SEIM integrations produce the audit logs of captured actions that are sent to registered Security Information and Event Management (SIEM) endpoints in near real time.

SIEM actions are also supported in the CLI. Refer to SIEM Integrations.

Viewing SIEM Integrations

To access a list of the currently defined SIEM integrations, select SIEM from the Administration drop-down.

For every audit action, DSV will try twice to reach the endpoint. If the endpoint is unresponsive after ten actions and retries, DSV will deregister the endpoint and mark it as failed (FAILED yes). The endpoint must be recreated or updated to be used again.

At the SIEM page, click any SIEM to view its details. In addition to the parameters defined when the SIEM integration was created (refer to Creating a SIEM Integration for Auditing), the following information is provided:

  • ID: The internal audit ID associated with the protocol.
  • Failed Events: The number of times a send to the endpoint failed.

alt

Creating a SIEM Integration for Auditing

  1. From the Home page, select the SIEM folder, then click Create New SIEM. Supply the following information at the Create New SIEM dialog box.
If Send to Engine is enabled, this field allows selection of an engine pool. A message will appear if a pool does not exist for selection or a network delay occurs.
Field Description
Name (required) The label in the UI used to identify the SIEM configuration.
SIEM Type (required)The logging output format used to register an endpoint.
Protocol (required) transport protocol expected by endpoint.
Logging Format (required) The format for Syslog messages. Currently, messages must be in RFC 5424-compliant format.
Host (required) The URL of the server that hosts the configuration.
Port(required) The port number used in the protocol.
Auth (required) The authentication method used in the protocol.
EndpointThe endpoint on the network that SIEM logs are generated for.
Send to EngineEnabling this control allows audit logs to be sent through a DSV engine to a server that isn't accessible to the outside internet. An engine and pool must be already configured.
Pool (required)If Send to Engine is enabled, this field allows selection of an engine pool. A message will appear if a pool does not exist for selection or a network delay occurs.
  1. Click Save.

Deleting a SIEM Integraion

To delete a SIEM integration, select the SIEM integration in the list on the SIEM page to access its details.

Click Delete SIEM.

The integration is removed from the SIEM list.