SIEM
CloudAlly enables you to integrate with SIEM systems in order to help you increase operational efficiency by unifying threat detection, investigation and response workflows.
Splunk
The first available CloudAlly SIEM integration is with Splunk, using the Splunk HTTP Event Collector (HEC).
Versions Supported:
Which Events are Sent to Splunk?
You can choose to send one or more of the following to Splunk:
NOTE: CloudAlly sends events to Splunk periodically, approximately every 10 minutes.
- Customers’ activity events, such as backups and restores
- Customers’ Security Audit logs (see LINK TO SECURITY AUDIT PAGE)
Pre-requisite: Setting Up Your Splunk Account
Before you can connect your CloudAlly account to Splunk, you first need to establish an account with Splunk and configure the Splunk HTTP Event Collector.
Perform the following steps in the Splunk Admin Console.
1. Navigate to Settings>Data Inputs>HTTP Event Collector.
2. Under the Global Settings option:
-
- Enable the HTTP Event Collector by setting All Tokens to Enabled.
- Choose json as default source type.
- Check Enable SSL.
3. Under the New Token option, create a new token and copy the value - it will be used in the CloudAlly Portal.
IMPORTANT NOTE: Do NOT check "Enable indexer Acknowledgment."
4. Find Your HEC URL
The standard form for the HEC URL varies, depending on the Splunk software type you have. Find the standard form on this page: Set up and use HTTP Event Collector in Splunk Web.
5. Verify that you have set up an SSL certificate issued by a commonly accepted certificate authority (CA) on the Splunk HEC endpoint.
.
Setting Up Splunk in the Portal
- From the navigation pane, click Settings > SIEM.
- Click Splunk > Connect. Complete the fields on the following screen:
- Enter the Splunk HTTP Event Collector URL.
- Paste the token value that you copied into the Splunk Token field.
- Optional: Add the Event Source, which is the override value to assign to the event data.
- By default, there are 2 options at the bottom that are selected. You can de-select any that are not relevant for you:
- Send customer activity events
- Send customer audit log
- Click Save. The Splunk tile will now be Active.
6. To delete the integration, click Edit > Delete.