Articles in this section

How-to: Check a SIEM configuration is valid

Avatar
Itai Hadayer
  • Updated
Follow

Problem description

This post will help you verify that a SIEM added to SkyFormation app is:

  • Correctly defined
  • SkyFormation app could send it audit events

SkyFormation app supports multiple concurrent SIEM systems if needed.
Each SIEM system added to SkyFormation app could be used by the app to send audit events
from any of the SkyFormation cloud connectors.

SkyFormation is a multi-tenant app. Each tenant added to the SkyFormation app could be attached to one of the SIEM system added to it.

If you add multiple tenants (aka multi-tenant) to your SkyFormation app you could attach each to a different SIEM system added or attach few tenants to the same SIEM.

To allow a cloud connector to send audit events to a SIEM, the cloud connector should be attached to a specific tenant and that tenant should be attached to a SIEM.

cloud connector/s --- (attached to) --> Tenant ---(attached to) --> SIEM

Please follow the steps below to verify that a specific SIEM added to the cloud connector is attached to a tenant that by itself is attached to a valid SIEM.

Steps

Step 1: Log into your SkyFormation app

Step 2: Go to the "SETTINGS --> SIEM INTEGRATION" page

Step 3: Look in the table for the SIEM system you would like to validate its configuration

Step 4: Validating the SIEM configuration settings
             Focus on the SIEM raw and press "EDIT" to see its configuration
             Make sure the settings entered are indeed the SIEM system you would like
             to send events to.
             
             To better understand the different SIEM settings and their meaning see:
             Adding a SIEM to SkyFormation Platform

               Now we will verify SkyFormation app could send audit events to the SIEM    

Step 5:  Sending a test audit event to the configured SIEM
              Press the "TEST CONNECTION" to send a test syslog event to the configured SIEM

               You should get the below indication in case the SIEM configuration is correct and the
               target SIEM have accepted the test event (only relevant in TCP/TLS case).

               If you succeeded sending the test event it means the communication between
               SkyFormation app to the SIEM is allowed using the syslog channel configured. 

               

               If you got error trying to send test event to the SIEM configured see the below
               troubleshooting section for potential root causes and how to resolve.

               Now we will make sure the SIEM parse the SkyFormation events correctly

    Step 6: Validating the test event sent using CEF encoding over syslog is visible at the SIEM

                Search your SIEM for event with the following string:
                cef_name = "Skyformation-test SIEM settings event"

                If you find such event in the SIEM and the CEF dimensions parsed correctly you are
                good. If not consult your SIEM admin for the potential root cause.

 

Done

 

Troubleshooting and resolve 'send test event' failures

Potential root cause How to validate How to fix
No open listener/collector listener at the syslog port configured in SkyFormation Ask the SIEM admin to check if such collector exist and listen Ask the SIEM admin to add such collector
Firewall between the SkyFormation app and the SIEM block the syslog communication Consult the network admin if such Firewall exist and if it might block the syslog protocol/port you are trying to use for the SIEM Ask the Firewall admin to allow the syslog:port communication

 

 

logo-horizontal-1-big.png

 

Related articles

Comments

0 comments

Please sign in to leave a comment.