If you're having trouble at any stage please contact us at support@skyformation.com. 

Compatible with SkyFormation App Version

This guide is compatible with SkyFormation App version 2.1.22 (see Get Your SkyFormation App Version). If you are using an older version of SkyFormation we highly recommend to update to the latest one.

Preface

The purpose of this guide is to detail the steps you should take to add a SIEM to the SkyFormation platform.

Steps

a. Go to SETTINGS -> SIEM INTEGRATION and press on "ADD SIEM" 

b. Fill in the SIEM parameters as followed

    - Name
      Give this SIEM a friendly name for you to later use and refer to.

      Example: 
      "Main SIEM"  

    - Host
      The SIEM IPv4 address or DNS name

      Examples: 
      "10.0.0.2"
      "mysiem.corp.net"     

    - Port
      The port in use by the SIEM to get the SkyFormation syslog events at

      Examples: 
      "514" 

    - Protocol
      Choose the protocol to be used (TCP/UDP/TLS) for the syslog channel with the SIEM.

      Examples: 
      "TCP" 

    - Message Format
      According to your SIEM requirements choose the syslog spec to be used. Default RFC 5424
      should be used unless the deprecated RFC 3164 is must. 

      For RSA NetWitness use the "RFC 3164 SHORT" option.

    - Activate (Only for single-tenant mode)
      When SkyFormation single-tenant mode is used, SkyFormation will offer you to automatically
      activate the new SIEM just added by attach it to the default-tenant. In case you do not want
      to use the SIEM just added change to NO .

   3. Press the "TEST CONNECTION" to send a test syslog event to the configured SIEM

      You should get the below indication in case the SIEM configuration is correct and the target
      SIEM have accepted the test event (only relevant in TCP/TLS case).

       To double check you could also search your SIEM for a syslog/CEF event where:
       cef_name = "Skyformation-test SIEM settings event"

4. Press SAVE

  DONE