Integrating with SIEM platforms

In this collection of topics, you will learn how to integrate Portnox™ Cloud with different security information and event management (SIEM) platforms.

Portnox Cloud integrates with SIEM platforms by exporting events, which security analysts can classify and analyze using the SIEM platform.

You can export the following types of events:

  • All Cloud alerts, for example, device connections, connection failures, synchronization with external repositories, and more.

  • All the actions in the Cloud web interface, for example, creating a group, modifying a policy, and more.

Note:
You cannot export detailed AAA logs to SIEM platforms.

For examples how to integrate Cloud with a specific platform, see the menu on the left-hand side. Note that Cloud is compatible with all SIEM platforms that can import syslog events, which means practically all existing SIEM platforms.

To learn more about the content and format of events sent to SIEM, see the following topic: Format and content of alert information for SIEM.

To configure the types of alerts sent to SIEM, see the following topic: Portnox Cloud alerts.

Integrate with a generic SIEM

In this section, you will learn about the options that are available in Cloud to integrate it with SIEM solution. These options may help you integrate Cloud with software that is not specifically described in our list (both cloud solutions and on-premises solutions).

To access the configuration for integration with SIEM solutions, click on: Settings > Integration Services > SIEM INTEGRATION SERVICE

Then, click on the Add new SIEM link to create a new SIEM integration configuration.

Below is the explanation of the available options and their potential use.

  • Integration type: Select the type/brand of SIEM software that you want to integrate with.

    • Custom: Select this option for all SIEM software other than the specific ones listed in this option.
    • Named options: Select an option for a specific SIEM type that requires a different integration. For example, select Datadog to integrate with Datadog SIEM.
  • Name: Enter a unique name for this integration configuration.

  • Status: Use this option only if you need to temporarily disable the integration and you do not want to delete the entire configuration.

    • Disabled: If you select this option, this integration will be disabled.
    • Enabled: If you select this option, this integration will be active.
  • Protocol type: Select the protocol that will be used by Cloud to send events to the SIEM solution.

    The most common method used to send events to SIEM solution is the syslog client-server architecture. This architecture describes the format of the log messages, but they can be sent to the syslog server over different protocols.

    • Syslog over TCP: The messages in syslog format are sent using the TCP protocol. This requires the syslog server to be listening on an open TCP port. Note that the messages are sent in clear text and can be intercepted.
    • Syslog over UDP: The messages in syslog format are sent using the UDP protocol. This requires the syslog server to be listening on an open UDP port. Note that the messages are sent in clear text and can be intercepted.
    • Syslog over TLS: The messages in syslog format are sent using a TLS tunnel. This requires a TLS tunnel to be established between the client and the server. Messages are then sent encrypted and cannot be intercepted.
    • HTTPS: The events are sent using an HTTPS connection. This requires an HTTPS collector listening for messages. This is a common option in cloud-based SIEM solutions such as Splunk or Sumo Logic.
    Important:
    In some cases, the SIEM platform does not provide a syslog server and you may need a third-party syslog server that acts as temporary log storage. You can set up such a server, for example, in an Azure cloud or on-premises. In such cases, Cloud sends the events to the cloud syslog server, and your SIEM solution picks them up from the syslog server.
  • IP: The IP address that Cloud sends events to.

    For direct communication, this must be an external IP address that Cloud can connect to. If you need to configure the firewall to restrict this access to specific IPs, use the following IP addresses: 23.97.155.157, 52.168.164.222, 20.72.156.111, and 51.124.144.69.

  • Port: The port number that Cloud sends events to.

  • Communication method: Decides how Cloud is to send events to the SIEM solution.

    • Direct: Cloud will send direct messages to an external, public IP address and port as configured. You can use this method, if your cloud solution has an open port to receive messages in your cloud tenant, if your cloud solution uses a HTTPS log collector, if you have a syslog server in a public cloud such as Azure, or if you have an on-premises syslog server that listens on a public IP and port.
    • Via Portnox Cloud Directory Broker: Use an on-premises Portnox LDAP Broker to collect the messages from Portnox Cloud and send them locally to your on-premises solution. In such case, the IP address and port that you specify above are the local IP address and port accessible from the machine running LDAP Broker.
    • Via Docker image: portnox-siem: Use an on-premises portnox-siem Docker image to collect the messages from Portnox cloud and send them locally to your on-premises solution. In such case, the IP address and port that you specify above are the local IP address and port accessible from the machine running the Docker image.

    By using Portnox LDAP Broker or the Docker image, you can avoid the need to have a public IP address and port to collect the logs. You can set up your syslog collector on a local machine, set up the Docker image or LDAP Broker on the same or another machine in the same local network, and then the Docker image or LDAP Broker will poll Portnox Cloud to obtain new messages and send these messages locally to your local network syslog server.

    Note:
    Portnox LDAP Broker requires Active Directory on-premises, and you need to integrate Cloud with Active Directory. The Docker image has no such requirements, and is therefore a better choice in most environments.
  • Data format: What format should the Cloud events be sent in.

    • JSON: The JSON format is almost exclusively used with HTTPS collectors (see the Protocol type field).
    • CEF: The CEF format (Common Event Format) is used as an extension of the syslog format to allow for sending security messages to SIEM software. If you collect data using syslog, you will most probably need to select this option.
  • Alert notification interval (minutes): Specifies how often events are to be sent from Portnox Cloud to your SIEM software.

  • Health check interval (minutes): Specifies how often Portnox Cloud sends health check messages to your SIEM software, if there are no new events to send.

  • Unmerge alerts: Portnox Cloud merges some alerts into a single alert for convenience. If you would rather receive every alert separately, activate this checkbox.