Enable SIEM Integration
Introduction
AppTrana enables its customers to seamlessly integrate logs produced by the WAF with third-party SIEM platforms to provide detailed security event logs and alerts.
This integration is accomplished through the autonomous transfer of logs the WAF produces to an AWS S3 bucket. From there, SIEM tools obtain the logs for analysis.
How to configure SIEM details in AppTrana?
- Navigate to Settings > SIEM Integration > S3 Integration.
- By default, connection method is Generic - AWS (Acc ID, External ID with ARN).
- Enter the SIEM AWS account ID, External ID in respective fields.
- Click Save.
The SIEM account ID and External ID are present in the users SIEM sections. Likewise RSA, Splunk, McAfee, Sumo Logic, and so on.
- The provided AWS Account ID and External ID are verified using the AWS-provided API.
- Upon successful validation, a dedicated folder is created within the S3 bucket for the specified application.
- The S3 path and ARN details are provided to the customer for accessing logs.
Note: On AppTrana WAAP, SIEM integration cannot be configured individually for each app; it must be set up for all sites simultaneously
Note: Customers must input the bucket details (S3 path and ARN details) into their SIEM tool settings to access logs from the Indusface S3 bucket.
Considering the high resource consumption involved in merging access and attack logs via APIs using this approach, it's recommended to consider utilizing the S3 Bucket Access & Whitelisting method instead.
S3 Bucket Access & Whitelisting
This approach utilizes S3 log push, allowing customers to analyze attack and access logs without overloading resources.
Setup and Configuration:
- Customers are required to initiate a request to create a custom S3 bucket by contacting support@indusface.com.
- AppTrana team proceeds to create the S3 bucket for the customer.
- Upon creation, the customer receives an email containing the details of the S3 bucket.
- Additionally, the customer is prompted to provide the AWS account ID used by their SIEM tool.
- The customer is required to share their AWS Account ID with the AppTrana team.
- Subsequently, the AWS Account ID is whitelisted for access to the S3 bucket.
- The customer can begin accessing security logs into their SIEM tool with the setup complete.