Integrations - SIEM

The Security Information and Event Management (SIEM) integration engine enable tenants to forward event logs in various formats to SIEM platforms or other external systems. Avanan allows integrating with multiple SIEM platforms.

Note - Avanan generates these security events for the integrated SIEM platforms:

  • Phishing
  • Suspicious Phishing
  • User Reported Phishing
  • Malware
  • Suspicious Malware
  • Malicious URL
  • Malicious URL Click
  • DLP
  • Anomaly
  • Shadow IT
  • Spam

Note - Avanan generates logs for each one of these security events.

Encryption - Unless configured otherwise, all events are forwarded over HTTPS.

Source IP Address

Avanan can be deployed in one of several geographic regions. The security events get forwarded from a unique static IP for each region.

The static IP address for different regions:

  • United States - 34.192.247.192
  • Europe - 54.247.106.52
  • Australia - 52.63.125.59
  • Canada -  35.182.23.24

Configuring SIEM Integration

To configure SIEM integration from the Avanan Portal:

  1. Go to Config > Security Engines > SIEM Integration.
  2. Under SIEM Integration click Configure.
  3. Select the required Transport method and enter the relevant details. For more details, see Required fields for Transport method.
  4. Select the required Log Format.
    • JSON (Splunk HEC/CIM compatible)
    • JSON
    • JSON Flat (dot notation)
    • JSON (Rapid7, <8k characters)
  5. Click Save.

Note - After configuring SIEM integration from the Avanan Portal, Avanan starts sending logs. You have to configure your SIEM platform to receive logs from Avanan.

Required fields for the Transport method

Transport Method

Required Fields

Splunk HTTP Event Collector (HEC)

HTTP Event Collector Host

HTTP Event Collector Token

(Optional) To use Indexer acknowledgment, click the checkbox and enter the Channel ID

(Optional) To use Splunk Index, click the checkbox and enter the Splunk index name

HTTP Collector

HTTP Collector URL

AWS S3

AWS IAM Role ARN

AWS S3 Bucket Name

AWS S3 Bucket Region

AWS S3 Bucket Directory Path

(Optional) To use External ID, click the checkbox and enter the External ID.

AWS SQS

AWS SQS Queue URL

Azure Log Workspace

Azure Log Workspace ID

Azure Log Workspace Shared Key

 

For more details about configuring AWS S3 to receive logs from Avanan, see Configuring AWS S3 to Receive Avanan Logs.

For more details about configuring AWS S3 to send logs to Splunk, see Configuring AWS S3 to Send Avanan Logs.

Recommended Configuration for known SIEM Platforms

Avanan can integrate with a large number of SIEM platforms.

Note - If you need help in configuring your SIEM platform to integrate with Avanan, contact Avanan Support.

These are the recommended configuration for some of the SIEM platforms.

SIEM Platform

Transport Method

Log Format

Splunk

Splunk HTTP Event Collector (HEC)

  • HTTP Event Collector Host - value from Splunk HEC configuration
  • HTTP Event Collector Token - value from Splunk HEC configuration

JSON (Splunk HEC/CIM compatible)

Rapid7

AWS SQS

JSON (Rapid7, <8k characters)

Sumo Logic

HTTP Collector

  • HTTP Collector URL - value from Sumo Logic

JSON

Azure Log Workspace

Azure Log Workspace

  • Azure Log Workspace ID - value from Azure configuration
  • Azure Log Workspace Shared Key - value from Azure configuration

JSON

LogRhythm

AWS S3

For the fields required for AWS S3, see Required fields for the Transport method.

If a new S3 Bucket is needed, you should follow specific instructions while configuring the S3 bucket. For more details, see Configuring AWS S3 to Receive Avanan logs.

JSON

McAfee SIEM

AWS S3

For the fields required for AWS S3, see Required fields for Transport method.

If a new S3 Bucket is needed, you should follow specific instructions while configuring the S3 bucket. For more details, see Configuring AWS S3 to Receive Avanan logs.

To receive the logs from S3 bucket to McAfee SIEM, refer to Configuration of Amazon S3 upload feature and McAfee Documentation.

JSON