Setting up integration with a SIEM application

The Absolute SIEM Connector can be installed on a computer running any of the following operating systems:

• Windows Server^®:
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012
• Windows (64- or 32-bit):
  • Windows 10
  • Windows 8 or 8.1

NOTE   .NET Framework 4.0 or higher is also required.

• The syslog server and the computer on which you intend to install the SIEM Connector reside within the same network.
• An Internet connection is available.

To download and install the SIEM Connector:

1. Log in to the network computer on which you want to install the SIEM Connector.
2. Log in to the Absolute console as a user with Manage permissions for SIEM integration. The System Administrator role is the only Default role with this permission.
3. To authenticate the communication between the SIEM Connector and your SIEM application, you need to generate an API token and then upload the API token file during the SIEM Connector installation process:
   1. Complete the steps to create an API token file.
   2. Download the file to your computer.
4. On the navigation bar, click to open the Settings area.
5. On the sidebar, click SIEM Integration.

6. Under Step 1: Install the SIEM Connector, click Download SIEM Connector. The installer is downloaded.

7. Install the SIEM Connector:
   1. On the network computer, navigate to the location where you downloaded the AbsoluteSIEMConnector<x.x>.msi file from the Absolute console and double-click the file.

   2. On the Welcome page of the Absolute SIEM Connector Setup Wizard click Next.

   3. Review and accept the terms and conditions of the End-User Service Agreement and click Next.
   4. On the Destination Folder page, do one of the following:
      • To install to the default folder shown in the field, click Next.
      • To install to a different folder, click Change, navigate to and select the applicable folder on your local drive, and then click OK.
   5. On the API token configuration page, do the following:
      1. Next to the Token File field, click Browse and navigate to and select the API token file (.token) that you downloaded in step 3.
      2. To encrypt the token ID and secret key, generate a .key file by clicking the Encryption Key field and entering a value up to 256 characters in length. Any combination of characters, numbers, and symbols is supported.

      NOTE  The SIEMEncryptionKey.key file is stored in C:\Users\<userprofile>\AppData\Local\Absolute SIEM Connector. Do not delete this file.

      3. In the Update Interval field, enter how frequently you want the SIEM Connector service to check for new events in Absolute. You can set the interval to any value between 5 minutes and 1440 minutes (24 hours). The default interval is 60 minutes.
      4. Click Next. The system verifies that the username and password you entered are valid.
   6. On the Syslog server configuration page, do the following:
      1. Enter the Hostname of the syslog server.
      2. Enter the Port number for syslog messages.
      3. Select the TCP or UDP protocol.

      NOTE  The TCP protocol is recommended as it is more reliable than UDP.

      4. Click Next.
   7. On the Ready to install Absolute SIEM Connector page, click Install and wait for the installation to finish.

   8. Click Finish. The SIEM Connector is installed.

      NOTE  If you need to update the SIEM Connector configurations after the Connector is installed, use the Uninstall or change a program feature in Windows Control Panel to open the Absolute SIEM Connector Setup Wizard. You can then edit the applicable configurations. For more information about updating programs using the Control Panel, see Windows documentation.

Configuring the integration consists of selecting the events to send to your SIEM application and enabling (or disabling) the integration.

1. Log in to the Absolute console as a user with Manage permissions for SIEM integration. The System Administrator role is the only Default role with this permission.
2. On the navigation bar, click to open the Settings area.
3. On the sidebar, click SIEM Integration.
4. If the SIEM integration is currently disabled, under Step 2: Configure the integration, click OFF to toggle the switch to ON. The integration is enabled.
5. Click View events.

The list of Absolute events that you can send to your SIEM application shows in the grid.

6. Select the check box next to each event that you want to send to your SIEM application. To find an individual event in the list, enter a keyword in the Search field. The search results update dynamically as you type.

To select all events, select the check box next to the Search field.

7. [Optional] When you are finished, review your selections by clicking Hide unselected. To show all events again, click Show unselected.
8. Going forward, Absolute may release new features and functionality that introduce new event types. To ensure that the events associated with each new event type are sent to your SIEM application, select the check box next to Automatically select all new event types.
9. Click Save. The integration is configured. The number of selected events shows above the grid next to Selected events.

1. Log in to the Absolute console as a user with Manage permissions for SIEM integration. The System Administrator role is the only Default role with this permission.
2. On the navigation bar, click to open the Settings area.
3. On the sidebar, click SIEM Integration.
4. Under Step 2: Configure the integration, do one of the following:
   • To enable the integration if it is disabled, click the switch to set it to ON. The system starts sending events from your Absolute account to your SIEM application.
   • To disable the integration if it is enabled, click the switch to set it to OFF. The system stops sending events from your Absolute account to your SIEM application.