Problem description
This post will help you verify that a SIEM added to SkyFormation app is:
- Correctly defined
- SkyFormation app could send it audit events
SkyFormation app supports multiple concurrent SIEM systems if needed.
Each SIEM system added to SkyFormation app could be used by the app to send audit events
from any of the SkyFormation cloud connectors.
SkyFormation is a multi-tenant app. Each tenant added to the SkyFormation app could be attached to one of the SIEM system added to it.
If you add multiple tenants (aka multi-tenant) to your SkyFormation app you could attach each to a different SIEM system added or attach few tenants to the same SIEM.
To allow a cloud connector to send audit events to a SIEM, the cloud connector should be attached to a specific tenant and that tenant should be attached to a SIEM.
cloud connector/s --- (attached to) --> Tenant ---(attached to) --> SIEM
Please follow the steps below to verify that a specific SIEM added to the cloud connector is attached to a tenant that by itself is attached to a valid SIEM.
Steps
Step 1: Log into your SkyFormation app
Step 2: Go to the "SETTINGS --> SIEM INTEGRATION" page
Step 3: Look in the table for the SIEM system you would like to validate its configuration
Step 4: Validating the SIEM configuration settings
Focus on the SIEM raw and press "EDIT" to see its configuration
Make sure the settings entered are indeed the SIEM system you would like
to send events to.
To better understand the different SIEM settings and their meaning see:
Adding a SIEM to SkyFormation Platform
Now we will verify SkyFormation app could send audit events to the SIEM
Step 5: Sending a test audit event to the configured SIEM
Press the "TEST CONNECTION" to send a test syslog event to the configured SIEM
You should get the below indication in case the SIEM configuration is correct and the
target SIEM have accepted the test event (only relevant in TCP/TLS case).
If you succeeded sending the test event it means the communication between
SkyFormation app to the SIEM is allowed using the syslog channel configured.
If you got error trying to send test event to the SIEM configured see the below
troubleshooting section for potential root causes and how to resolve.
Now we will make sure the SIEM parse the SkyFormation events correctly
Step 6: Validating the test event sent using CEF encoding over syslog is visible at the SIEM
Search your SIEM for event with the following string:
cef_name = "Skyformation-test SIEM settings event"
If you find such event in the SIEM and the CEF dimensions parsed correctly you are
good. If not consult your SIEM admin for the potential root cause.
Done
Troubleshooting and resolve 'send test event' failures
| Potential root cause | How to validate | How to fix |
| No open listener/collector listener at the syslog port configured in SkyFormation | Ask the SIEM admin to check if such collector exist and listen | Ask the SIEM admin to add such collector |
| Firewall between the SkyFormation app and the SIEM block the syslog communication | Consult the network admin if such Firewall exist and if it might block the syslog protocol/port you are trying to use for the SIEM | Ask the Firewall admin to allow the syslog:port communication |
Comments
0 comments
Please sign in to leave a comment.