SIEM integration overview
If you are using a Security Information and Event Management (SIEM) solution and you want the ability to view and analyze Absolute events in your SIEM application, along with events from other sources, you can set up an integration between the two systems using the Absolute SIEM Connector.
The SIEM Connector uses the syslog protocol A protocol that allows event data from different types of systems to be transmitted in a standardized format to a central repository. to send events to a SIEM application, such as RSA® Security Analytics, HP ArcSight, or Splunk®. You can configure the SIEM Connector to send any events that are logged in Absolute and shown on the Events page in the History area.
About SIEM solutions
Security information and event management (SIEM) solutions collect logged events from multiple software programs and store them in a central repository for consolidated reporting and analysis. Organizations can then monitor security events across their system for incident response, forensics, and regulatory compliance.
Role of the Absolute SIEM Connector
Absolute's SIEM integration is created by installing the Absolute SIEM Connector on a computer in your network. The SIEM Connector configures a Windows service that sends REST requests to the Absolute Gateway Server to retrieve event data from the Absolute database. The events are then transmitted in syslog messages to your SIEM's syslog server to allow SIEM users to view, analyze, and report on these events, along with other events within your system.
Figure 1: Network configuration of standard SIEM integration with Absolute SIEM Connector
After the SIEM Connector is installed, it retrieves all applicable events logged within the past 72 hours and sends them to the syslog server. Going forward, the SIEM Connector retrieves new events at the interval set in SIEM Connector configurations. You can set the interval to any value between 5 minutes and 24 hours; the default value is 60 minutes.
To view event data that was triggered prior to the installation of the SIEM Connector, log in to the Secure Endpoint Console and on the navigation bar, click 
History > Events.
Format of syslog messages
The SIEM Connector transmits syslog event messages that contain the following parameters:
| Parameter | Data type | Description |
|---|---|---|
| date | DateTime |
The timestamp when the event occurred Dates and times are formatted in UTC as <yyyy>-<mm>-<dd> <hh>:<mm>:<ss>. For example: 2020-01-26 04:44:45 UTC This field corresponds to the Date column in |
| eventType | String |
The event that occurred This field corresponds to the Event column in |
| actorType | String |
The type of entity that caused the event to occur, such as user, device, or system |
| actorName | String |
The name of the Actor, such as the user's username This field is part of the Summary column in |
| actorId | String |
The unique ID associated with the Actor |
| objectType | String |
The main entity that the Actor intended to affect by the event |
| objectName | String |
The display name of the Object This field is part of the Summary column in |
| objectId | String |
The unique ID associated with the Object |
| objectProperties | String |
The Object properties that changed Includes a list of tuples in one of the following forms:
|
| verb | String | The event that occurred on the object |
| secondaryObjectType | String | The secondary entity that the Actor intended to affect by the event |
| secondaryObjectName | String | The name of the Secondary Object |
| secondaryObjectId | String | The unique ID associated with the Secondary Object |
> Events.Syslog message example
The following syslog message describes an Absolute event in which username [email protected] submitted a Run Script request for device WIN10_12567 to run the Add File / Folder Permissions script:
Mar 4 18:31:34 10.55.12.135 1 "2024-07-06 02:31:35 UTC" COM102352.company123.com AbsoluteSIEMConnector 11756 Absolute.Events - CEF:0 "Absolute Software" AbsoluteSIEMConnector 3.0 date="2024-07-05 02:30:53 UTC" eventType="ScriptRequested" actorType="User" actorName="[email protected]" actorID="511073d2-d5be-4014-a6ed-650dcc1d5c58" objectType="Device" objectName="WIN10_12567" objectID="de94fa2d-0ded-4c86-9740-e955c6ec1cc1" objectProperties="PropertyName=ScriptName;OldValue=;NewValue=Add File / Folder Permissions;" verb="Requested" secondaryObjectType="Request" secondaryObjectName="Request" secondaryObjectID="4478f8a0-2be1-4a8f-a98e-945cdc22b9c2"
To view more details about the syslog message that is transmitted for each event type, see Absolute Events Logged to a SIEM Application.
Setting up the integration
To begin sending events from Absolute to your SIEM application, a user with Manage permissions for SIEM integration, such as a System Administrator, needs to complete the following steps:
Step 1: Download the SIEM Connector from the console and install it on a computer on your network.
Step 2: Select the events to send to your SIEM solution.
About the SIEM Event Reporting API
You can also use the SIEM Event Reporting API to send Absolute events to your SIEM solution. In this case, you do not need to download and install the SIEM Connector, but you do need to do the following:
- Select the events to send to your SIEM solution
- Enable the integration
