Configuring SIEM Integration
- Click Security Settings > Security Engines.
- Click Configure for SIEM Integration.
-
Select the required Transport method and enter the relevant details.
Supported Transport methods
Transport Method
Required Fields
Splunk HTTP Event Collector (HEC)
HTTP Event Collector Host / URI
HTTP Event Collector Token
(Optional) Use indexer acknowledgment — Select the Use indexer acknowledgment checkbox and enter the Channel ID. The request header includes the header X-Splunk-Request-Channel with the channel ID as its value.
(Optional) Use Splunk index — Select the Use Splunk index checkbox and enter the Splunk index name. The Splunk index name will be added as the value to the index key at the payload top level.
(Optional) Verify SSL (CA certificate required) — Before you select the Verify SSL (CA certificate required) checkbox, if you have an on-prem Splunk, contact Avanan Support to provide your certificate.
HTTP Collector
HTTP Collector URL (HTTP/HTTPS)
For example, https://myconnector.mycompany.com
(Optional) Verify SSL (CA certificate required) — Select the Verify SSL (CA certificate required) checkbox, if you have a custom certificate, contact Avanan Support, provide it and wait for their approval before enabling the option.
Authentication — If you use a bearer token, click Add Authentication, and select the Bearer Token from the Authentication Type dropdown. In the Bearer Token field, enter the bearer token.
Custom headers — To add custom headers to each event, select the Add custom header checkbox and enter the name and value. To add another one, select the Add another custom header checkbox.
AWS S3
AWS SQS
AWS SQS Queue URL
If you want to use a queue maintained by Avanan, contact Avanan Support to get the URL, client ID, and client secret.
Use External SQS Queue — To use your own SQS queue, select the Use External SQS Queue checkbox and provide the AWS IAM Role ARN.
Azure Sentinel
Note:You first need to set up the Avanan Avanan Azure Sentinel connector in your Azure.
Tenant ID
DCE Domain
DCR ID
Stream Table Name
Application Client ID
Application Client Secret
Azure Log Workspace
Azure Log Workspace ID
Azure Log Workspace Shared Key
TCP
TCP Host
TCP Port
Use TLS — Before enabling the Use TLS checkbox, contact Avanan Support, provide your certificate, and wait for their approval.
Google Chronicle
Customer ID — Unique identifier (UUID) corresponding to your Chronicle instance.
Account Region — Region where your Chronicle instance is created.
Credentials JSON — Google Service Account credentials.
Note:If the Credentials JSON option is not available, contact Google support.
Ingestion API — Google Chronicle Ingestion API type:
-
Unified Data Model (UDM) event
Note:If you choose Unified Data Model (UDM) event option, make sure to select this format: JSON (Google UDM Compatible).
-
Unstructured log
Note:If you choose the Unstructured log option, make sure to select this format: Google Chronicle Unstructured Logs.
Crowdstrike NG-SIEM
CrowdStrike Event Collector Host / URL
Bearer Token
-
-
Select the required log Format.
JSON (Splunk HEC/CIM compatible)
JSON (CIM compatible)
JSON
JSON Flat (dot notation)
JSON (Rapid7, <8k characters)
JSON (Elastic ECS compatible)
JSON (Crowdstrike ECS compatible)
JSON (Google UDM compatible)
Syslog (See Forwarding Logs in Syslog Format)
Google Chronicle Unstructured logs
For more information, see Extending Formats to Include Additional Information.
- Click Save.
After you configure the SIEM integration, Avanan starts sending logs. You have to configure your SIEM platform to receive Avanan logs.