Create New SIEM Configuration
- From the Enterprise Integration page, click SIEM and then click New.
-
Enter the following information.
- Name - Enter a name for this configuration.
- (Optional) Description -- Enter a brief description.
- Destinations - Select one or more destinations to which to apply this configuration:
- SaaS Apps (select the category, or expand it to select individual apps)
- Enterprise Apps (select the category, or expand it to select individual apps)
- Websites (select the category, or expand it to select individual sites)
- Networks (select the category, or expand it to select individual networks)
- Admin Audit Logs
- Event Type - Select one or more event types for this configuration:
- Activities
- Violations
- Anomalies
- CDD Activities
- CDD Violations
- Security Posture
- Discovery
- Vendor -- Select a vendor:
- HP ArcSight
- IBM QRadar
- Intel Security
- Log Rhythm
- Others
- Splunk
- Forwarded Type -- Select Spooling Directory, Syslog TCP, or Syslog UDP.
- For Spooling Directory, enter the directory path for the log files generated.
- For Syslog TCP or Syslog UDP, enter a remote host name, a port number, and a log format (JSON, CEF, or CEF_V2).
-
Click Save.
The new configuration is added to the list. By default, the authentication token is hidden. To display it, click Show.
Once an agent is downloaded and installed, a connection can be made. A green connector icon indicates a successful connection.
