Table of Contents

SIEM Integration with Sumo Logic

Rama Sadhu Updated by Rama Sadhu

SIEM refers to the process of integrating Security Information and Event management system with WAS. Integrating SIEM with WAS gives all the details. 

How to configure SIEM details in WAS using Sumo Logic SIEM account as an example? 

 

Step 1: Enable SIEM 

  • Go to the Settings menu. 
  • Click on the Scan Logs Config tab.
  • Click on the toggle button Enable SIEM S3 Logs to enable. 
  • Enter the Account ID and External ID in the respective fields and then click on the Submit button.
    The account ID and External ID are present in the users’ SIEM solutions., likewise RSA, Splunk, McAfee, Sumo Logic, and so on.  

Step 2: Log on to Sumo Logic 

  • Sign-in to Sumo Logic
  • From Home page, Install Collector > Go to Collection Page. 
  • Go to Collection > Add Source.
  • Search a resource or select the respective resource for logs. 
  • For use case, we have selected Amazon S3. 
  • From Amazon S3 > AWS Access > Access Method
  • By default, Role-based access is recommended and selected. 
  • The account Id and External ID are displayed under Role-based access.

Step 3: Configuration Details 

  • Enter the Sumo Logic Role-based access Account ID and External ID in SIEM AWS Account ID and SIEM External ID fields.  
  • Once user enters the valid details, a success pop-up is displayed.

SIEM Integration configuration details are also displayed.

Step 4: Integrate with Sumo Logic 

  • Enter a valid name and Description in the respective fields. 
  • Select S3 Region 
  • Enter the Bucket name and path expression details (obtained from the configuration details) in their respective fields. In the path expression field, add an asterisk symbol (*) after path. 

 Ex: cust-2/* 

 

  • In AWS Access> Role ARN, enter the role ARN copied from the configuration details.
  • In Log File Discovery, select the specific scan interval.
  • After entering all the mentioned fields, go to the end of the page and click Save

 

Step 5: View Scan Logs 

  • In Collection page, hover on your collectors’ name and a blue icon will be displayed, click on the icon.
  • Source collector is opened, select a time span, and click on the search icon to fetch the log record. 
  • Scan logs details for the selected collector are displayed.

How did we do?

AcuRisQ – Risk Management with Advanced Risk Scoring

WAS Consulting License

Contact

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.