SIEM integration
If you are using a Security Information and Event Management (SIEM) solution and you want the ability to view and analyze Absolute 7 events in your SIEM application, along with events from other sources, you can set up an integration between the two systems using the Absolute SIEM Connector.
NOTE If you are currently using the Classic SIEM Connector to send alert events to your SIEM application, you do not need to disable that Connector to use the Absolute 7 SIEM Connector. The events sent by the Classic version are different from the events sent by the Absolute 7 version, so the two versions can run in parallel.
The SIEM Connector uses the syslog protocol A protocol that allows event data from different types of systems to be transmitted in a standardized format to a central repository. to send events to a SIEM application, such as RSA® Security Analytics, HP ArcSight, or Splunk®. You can configure the SIEM Connector to send any events that are logged in Absolute and shown on the Events page in the History area.
Alternatively, you can use the SIEM Events API to return a list of configured event records for your account once you have configured the SIEM Connector.
About SIEM solutions
Security information and event management (SIEM) solutions collect logged events from multiple software programs and store them in a central repository for consolidated reporting and analysis. Organizations can then monitor security events across their system for incident response, forensics, and regulatory compliance.
Role of the Absolute SIEM Connector
Absolute's SIEM integration is created by installing the Absolute SIEM Connector on a computer in your network. The SIEM Connector configures a Windows service that sends REST requests to the Absolute Gateway Server to retrieve event data from the Absolute database. The events are then transmitted in syslog messages to your SIEM's syslog server to allow SIEM users to view, analyze, and report on these events, along with other events within your system.
Figure 1: Network configuration of standard SIEM integration with Absolute SIEM Connector
After the SIEM Connector is installed, it retrieves all applicable events logged within the past 72 hours and sends them to the syslog server. Going forward, the SIEM Connector retrieves new events at the interval set in SIEM Connector configurations. You can set the interval to any value between 5 minutes and 24 hours; the default value is 60 minutes.
NOTE To view event data that was triggered prior to the installation of the SIEM Connector, log in to the Absolute console and on the navigation bar, click History > Events.
Format of syslog messages
The SIEM Connector transmits syslog event messages that contain the following parameters:
| Parameter | Data type | Description |
|---|---|---|
|
date |
DateTime |
The timestamp when the event occurred Dates and times are formatted in UTC as <yyyy>-<mm>-<dd> <hh>:<mm>:<ss>. For example: 2020-01-26 04:44:45 UTC |
|
eventType |
String |
The event that occurred |
|
actorType |
String |
The type of entity that caused the event to occur, such as user, device, or system |
|
actorName |
String |
The name of the Actor, such as the user's username |
|
actorId |
String |
The unique ID associated with the Actor |
|
objectType |
String |
The main entity that the Actor intended to affect by the event |
|
objectName |
String |
The display name of the Object |
|
objectId |
String |
The unique ID associated with the Object |
|
objectProperties |
String |
The Object properties that changed Includes a list of tuples in one of the following forms:
|
|
verb |
String |
The event that occurred on the object |
|
secondaryObjectType |
String |
The secondary entity that the Actor intended to affect by the event |
|
secondaryObjectName |
String | The name of the Secondary Object |
|
secondaryObjectId |
String |
The unique ID associated with the Secondary Object |
Syslog message example
The following syslog message describes an Absolute event in which username [email protected] submitted a Run Script request for device WIN10_12567 to run the Add File / Folder Permissions script:
Mar 4 18:31:34 10.55.12.135 1 "2020-03-05 02:31:35 UTC" COM102352.company123.com AbsoluteSIEMConnector 11756 Absolute.Events - CEF:0 "Absolute Software" AbsoluteSIEMConnector 2.0 date="2020-03-05 02:30:53 UTC" eventType="ScriptRequested" actorType="User" actorName="[email protected]" actorID="511073d2-d5be-4014-a6ed-650dcc1d5c58" objectType="Device" objectName="WIN10_12567" objectID="de94fa2d-0ded-4c86-9740-e955c6ec1cc1" objectProperties="PropertyName=ScriptName;OldValue=;NewValue=Add File / Folder Permissions;" verb="Requested" secondaryObjectType="Request" secondaryObjectName="Request" secondaryObjectID="4478f8a0-2be1-4a8f-a98e-945cdc22b9c2"
NOTE To view more details about the syslog message that is transmitted for each event type, see Absolute Events Logged to a SIEM Application.
Setting up the integration
To begin sending events from Absolute to your SIEM application, a user with Manage permissions for SIEM integration, such as a System Administrator, needs to complete the following steps:
Step 1: Download the SIEM Connector from the console and install it on a computer on your network.
Step 2: Select the events to send to your SIEM solution.
