Help Center
News
Indusface
Help Center
News
Indusface
AppTrana
OverviewOnboarding to AppTranaComparison between Old Portal and New Portal
Dashboard
Groups & Assets
Manage Assets
WAAP
Vulnerability
Attacks
Bandwidth
Actions
Logs & Reports
License & Utilizatiion
Settings
Manage ProfileEnable SIEM IntegrationSIEM Integration through API Configure Custom Error & Maintenance PageCI/CD Integration
Profile
Others
Indusface WAS
Additional Resources
Zero-Day Vulnerability Reports
Security Bulletins
Vulnerability data
Vulnerabilities 2024
Vulnerabilities 2025
Other Vulnerabilities
AppTrana API Integration
Indusface Partner APIsAuthentication through Login APIAPI Request to Purge CDN DataUpdate Origin Server Address through API CallAPI Request to Blacklist IPs
Release Notes
Release Notes
Indusface WAS

Enable SIEM Integration

Introduction

AppTrana enables its customers to seamlessly integrate logs produced by the WAF with third-party SIEM platforms to provide detailed security event logs and alerts.

This integration is accomplished through the autonomous transfer of logs the WAF produces to an AWS S3 bucket. From there, SIEM tools obtain the logs for analysis.

How to configure SIEM details in AppTrana? 

  • Navigate to Settings > SIEM Integration > S3 Integration.
  • By default, connection method is Generic - AWS (Acc ID, External ID with ARN).
  • Enter the SIEM AWS account ID, External ID in respective fields.
  • Click Save.

The SIEM account ID and External ID are present in the users SIEM sections. Likewise RSA, Splunk, McAfee, Sumo Logic, and so on.

  • The provided AWS Account ID and External ID are verified using the AWS-provided API.
  • Upon successful validation, a dedicated folder is created within the S3 bucket for the specified application.
  • The S3 path and ARN details are provided to the customer for accessing logs.

Note: On AppTrana WAAP, SIEM integration cannot be configured individually for each app; it must be set up for all sites simultaneously

Note: Customers must input the bucket details (S3 path and ARN details) into their SIEM tool settings to access logs from the Indusface S3 bucket.

 Considering the high resource consumption involved in merging access and attack logs via APIs using this approach, it's recommended to consider utilizing the S3 Bucket Access & Whitelisting method instead.

S3 Bucket Access & Whitelisting

This approach utilizes S3 log push, allowing customers to analyze attack and access logs without overloading resources.

Setup and Configuration:

  • Customers are required to initiate a request to create a custom S3 bucket by contacting support@indusface.com.
  • AppTrana team proceeds to create the S3 bucket for the customer.
  • Upon creation, the customer receives an email containing the details of the S3 bucket.
  • Additionally, the customer is prompted to provide the AWS account ID used by their SIEM tool.
  • The customer is required to share their AWS Account ID with the AppTrana team.
  • Subsequently, the AWS Account ID is whitelisted for access to the S3 bucket.
  • The customer can begin accessing security logs into their SIEM tool with the setup complete.

 

Was this helpful?

Powered by Product Fruits