SIEM
You can configure SIEM setting for reporting syslog events to the SIEM platform. Votiro also supports sending security events (sanitization summary) directly to an AWS S3 Bucket.
To get to the SIEM page, from the navigation pane on the left, click Settings > SIEM.
Management Configuration when Syslog Protocol is not AWS S3
The SIEM configuration parameters displayed depend on the selected Syslog Protocol. The following configuration parameters are displayed if the selected Protocol is UDP/ TCP/ TLS/ HTTP Logs (Sumo Logic):
The page contains the following configuration fields:
| Element | Field |
Description |
|---|---|---|
| 1 | Syslog Protocol | Specifies the Syslog message transport protocol. Select from UDP, TCP, TLS(SSL) or HTTP Logs (Sumo Logic). |
| 2 | SIEM Server address |
Address of the SIEM system collector service. Specify a hostname where the address represents a fully qualified hostname or an IPv4 address. The default is empty. When the address is empty, the server uses its own IP as an address. Note: The SIEM server address must contain the address protocol (HTTP or HTTPS). |
| 3 | SIEM Server port |
Specifies the port of the SIEM system collector service. Specify a positive integer between 1 and 65535. The default is For more information about SIEM logging in Management, see Syslog Events to SIEM Platforms. |
| 4 | Syslog Format | Specifies the Syslog message format. Select from CEF or LEEF. |
| 5 | TLS Certificate |
If the server mandates certificate authentication to use the TLS protocol, a TLS certificate file must be imported. After importing the certificate file, refresh the page. The certificate name and creation date are displayed. Note |
Note
Fields marked with a * red asterisk are mandatory, to be completed.
To import a TLS certificate:
| a. | Click on the Import button. |
| b. | An explorer window opens. Navigate to the desired certificate file to import and select it. |
| c. | After importing the certificate, refresh the page. |
| d. | The certificate name and creation date are displayed. The following message appears: |
To delete a certificate that was imported:
| a. | Click on the Delete button. |
| b. | The following message appears: |
As you make changes the Items Changed count increases. When finished making changes at the bottom of the page select to either Save Changes or Discard Changes to the original settings.
Management Configuration for AWS S3
For each file sanitization, a new event (JSON format) will be created on the S3 bucket, and you will be able to parse the event data and perform automated actions as part of the SIEM activity.
The following configuration parameters are displayed if the selected Protocol is AWS S3:
The page contains the following fields:
| Element | Field |
Description |
|---|---|---|
| 1 | Syslog Protocol | Specifies the Syslog message transport protocol. Select AWS S3. |
| 2 | IAM Role Account | Specify the account for each region for authentication. |
| 3 | Bucket name | Specify the AWS S3 bucket name. |
| 4 | Bucket serviceUrl | Specify the AWS Bucket service URL (Default - https://s3.amazonaws.com). |
| 5 | Bucket path | Specify the AWS Bucket path (folder) |
The following steps describe the procedure:
| 1. | AWS S3 Bucket creation |
| 2. | Bucket permission – IAM Role. Use the following code as an example: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arniam::{ID}:role/votiro-s3-logs-sink-role"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:getObjectTagging",
"s3:putObjectTagging"
],
"Resource": "arns3:::<Your-S3-Bucket>/*"
}
]
}
| 3. | Sanitization Summary Event Place the following bucket configuration with the IAM Role account from the Management AWS S3 configuration (see step 1: AWS S3 Bucket creation). |
| 4. | Event message structure Event for each file sanitization Template – “votiro_sanitization_summary{TimeStamp}.json. The Event message value is described in Syslog Events to SIEM Platforms. |
Comments
0 comments
Please sign in to leave a comment.