Configuring SIEM Integration

To configure SIEM integration from the Check Point Portal:
  1. Click Security Settings > Security Engines.
  2. Click Configure for SIEM Integration.
  3. Select the required Transport method and enter the relevant details.

    Supported Transport methods

    Transport Method

    Required Fields

    Splunk HTTP Event Collector (HEC)

    HTTP Event Collector Host / URI

    HTTP Event Collector Token

    (Optional) Use indexer acknowledgment — Select the Use indexer acknowledgment checkbox and enter the Channel ID. The request header includes the header X-Splunk-Request-Channel with the channel ID as its value.

    (Optional) Use Splunk index — Select the Use Splunk index checkbox and enter the Splunk index name. The Splunk index name will be added as the value to the index key at the payload top level.

    (Optional) Verify SSL (CA certificate required) — Before you select the Verify SSL (CA certificate required) checkbox, if you have an on-prem Splunk, contact Avanan Support to provide your certificate.

    HTTP Collector

    HTTP Collector URL (HTTP/HTTPS)

    For example, https://myconnector.mycompany.com

    (Optional) Verify SSL (CA certificate required) — Select the Verify SSL (CA certificate required) checkbox, if you have a custom certificate, contact Avanan Support, provide it and wait for their approval before enabling the option.

    Authentication — If you use a bearer token, click Add Authentication, and select the Bearer Token from the Authentication Type dropdown. In the Bearer Token field, enter the bearer token.

    Custom headers — To add custom headers to each event, select the Add custom header checkbox and enter the name and value. To add another one, select the Add another custom header checkbox.

    AWS S3

    See Forwarding Events to AWS S3.

    AWS SQS

    AWS SQS Queue URL

    If you want to use a queue maintained by Avanan, contact Avanan Support to get the URL, client ID, and client secret.

    Use External SQS Queue — To use your own SQS queue, select the Use External SQS Queue checkbox and provide the AWS IAM Role ARN.

    Azure Sentinel

    Note:

    You first need to set up the Avanan Avanan Azure Sentinel connector in your Azure.

    Tenant ID

    DCE Domain

    DCR ID

    Stream Table Name

    Application Client ID

    Application Client Secret

    Azure Log Workspace

    Azure Log Workspace ID

    Azure Log Workspace Shared Key

    TCP

    TCP Host

    TCP Port

    Use TLS — Before enabling the Use TLS checkbox, contact Avanan Support, provide your certificate, and wait for their approval.

    Google Chronicle

    Customer ID — Unique identifier (UUID) corresponding to your Chronicle instance.

    Account Region — Region where your Chronicle instance is created.

    Credentials JSON — Google Service Account credentials.

    Note:

    If the Credentials JSON option is not available, contact Google support.

    Ingestion API — Google Chronicle Ingestion API type:

    • Unified Data Model (UDM) event

      Note:

      If you choose Unified Data Model (UDM) event option, make sure to select this format: JSON (Google UDM Compatible).

    • Unstructured log

      Note:

      If you choose the Unstructured log option, make sure to select this format: Google Chronicle Unstructured Logs.

    Crowdstrike NG-SIEM

    See CrowdStrike Integration.

    CrowdStrike Event Collector Host / URL

    Bearer Token

  4. Select the required log Format.
    • JSON (Splunk HEC/CIM compatible)

    • JSON (CIM compatible)

    • JSON

    • JSON Flat (dot notation)

    • JSON (Rapid7, <8k characters)

    • JSON (Elastic ECS compatible)

    • JSON (Crowdstrike ECS compatible)

    • JSON (Google UDM compatible)

    • Syslog (See Forwarding Logs in Syslog Format)

    • Google Chronicle Unstructured logs

    For more information, see Extending Formats to Include Additional Information.

  5. Click Save.
Note:

After you configure the SIEM integration, Avanan starts sending logs. You have to configure your SIEM platform to receive Avanan logs.