Recommended Configuration for known SIEM Platforms

SIEM Platform

Transport Method

Log Format

Splunk

Splunk HTTP Event Collector (HEC)

  • HTTP Event Collector Host / URI - Host or URI value from Splunk HEC configuration

  • HTTP Event Collector Token - value from Splunk HEC configuration

JSON (Splunk HEC/CIM compatible)

Rapid7

AWS SQS

JSON (Rapid7, <8k characters)

Sumo Logic

HTTP Collector

  • HTTP Collector URL (HTTP/HTTPS) - value from Sumo Logic

    For example, https://myconnector.mycompany.com

JSON

Azure Log Workspace

Azure Log Workspace

  • Azure Log Workspace ID - value from Azure configuration

  • Azure Log Workspace Shared Key - value from Azure configuration

JSON

LogRhythm

AWS S3

For the fields required for AWS S3, see Supported Transport methods.

If a new S3 Bucket is needed, you should follow specific instructions while configuring the S3 bucket. For more details, see Forwarding Events to AWS S3.

JSON

McAfee SIEM

AWS S3

For the fields required for AWS S3, see Supported Transport methods.

If a new S3 Bucket is needed, you should follow specific instructions while configuring the S3 bucket. For more details, see Forwarding Events to AWS S3.

To receive the logs from S3 bucket to McAfee SIEM, refer to Configuration of Amazon S3 upload feature and McAfee Documentation.

JSON

Other

Avanan can integrate with any SIEM platform. If you need help in configuring your SIEM platform to integrate with Avanan, contact Avanan Support.