Enabling SIEM Integration

vinugayathri.chinnasamy@indusface.com Updated by vinugayathri.chinnasamy@indusface.com

AppTrana enables its customers to seamlessly integrate logs produced by the WAF with third-party SIEM platforms to provide detailed security event logs and alerts.

This integration is accomplished through the autonomous transfer of logs the WAF produces to an AWS S3 bucket. From there, SIEM tools obtain the logs for analysis.

AppTrana WAAP facilitates SIEM integration through two methods:

1. ARN-based Integration – Granting customers access to the S3 bucket and whitelisting the SIEM's AWS Account ID.

2. S3 Bucket Access & Whitelisting - Generating and sharing ARNs for customers' AWS accounts to access our S3 bucket.

 

1. ARN-based Integration

Customers are required to configure their SIEM platform to access the Indusface S3 bucket with role-based access.

  1. Navigate to "Settings" and select "SIEM Integration" in the AppTrana WAAP dashboard

  1. Ensure "All Sites" is selected to configure SIEM integration

On AppTrana WAAP, SIEM integration cannot be configured individually for each app; it must be set up for all sites simultaneously
  1. Enter the AWS account ID details associated with your SIEM tool and its corresponding external ID

  1. The provided AWS Account ID and External ID are verified using the AWS-provided API

  1. Upon successful validation, a dedicated folder is created within the S3 bucket for the specified application.
  2. The S3 path and ARN details are provided to the customer for accessing logs

  1. Customers must input the bucket details (S3 path and ARN details) into their SIEM tool settings to access logs from the Indusface S3 bucket.

 

Considering the high resource consumption involved in merging access and attack logs via APIs using this approach, it's recommended to consider utilizing the S3 Bucket Access & Whitelisting method instead.

2. S3 Bucket Access & Whitelisting

This approach utilizes S3 log push, allowing customers to analyze attack and access logs without overloading resources.

Setup and Configuration:

  1. The customer is required to initiate a request to create a custom S3 bucket by contacting support@indusface.com.
  2. AppTrana's team proceeds to create the S3 bucket for the customer.
  3. Upon creation, the customer receives an email containing the details of the S3 bucket.
  4. Additionally, the customer is prompted to provide the AWS account ID used by their SIEM tool.
  5. The customer is required to share their AWS Account ID with the AppTrana team.
  6. Subsequently, the AWS Account ID is whitelisted for access to the S3 bucket.
  7. The customer can begin accessing security logs into their SIEM tool with the setup complete.

 

How did we do?

Configuring Custom Error Page in AppTrana

API Discovery Feature

Contact

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.