Integrations - SIEM / SOAR

Avanan allows integration with multiple Security Information and Event Management (SIEM) platforms and Cortex XSOAR by Palo Alto Networks.

Encryption - For SIEM, unless configured otherwise, all events are forwarded over HTTPS.

Source IP Address

Avanan can be deployed in one of several geographic regions. The security events get forwarded from a unique static IP for each region.

The static IP address for different regions:

  • United States - 34.192.247.192
  • Europe - 54.247.106.52
  • Australia * - 52.63.125.59
  • Canada -  35.182.23.24
  • India * -  13.126.227.64
  •  United Arab Emirates * - 3.29.198.97

* These regions are relevant only for tenants created using the Avanan MSP Portal.

Configuring SIEM Integration

To configure SIEM integration from the Avanan Portal:

  1. Go to Security Settings > Security Engines.
  2. Under SIEM Integration click Configure.
  3. Select the required Transport method and enter the relevant details. For more details, see Supported Transport methods.
  4. Select the required Log Format.
    • JSON (Splunk HEC/CIM compatible)
    • JSON (CIM compatible)
    • JSON
    • JSON Flat (dot notation)
    • JSON (Rapid7, <8k characters)
    • JSON (Google UDM Compatible)
    • Syslog (See Forwarding logs in syslog format)
    • Google Chronicle Unstructured logs
  5. (Optional) If you need to add custom fields to every event forwarded from Avanan to your SIEM platform:
    1. Select the Add custom field checkbox.
    2. Enter the required Custom field name.
    3. Enter the required Custom field value.
      Note - You can add only up to five custom fields.
  6. Click Save.

Note - After configuring SIEM integration from the Avanan Portal, Avanan starts sending logs. You have to configure your SIEM platform to receive logs from Avanan.

Supported Transport Methods

Transport Method Required Fields
Splunk HTTP Event Collector (HEC) HTTP Event Collector Host / URI
HTTP Event Collector Token
(Optional) To use Indexer acknowledgment, select the checkbox and enter the Channel ID.
(Optional) To use Splunk Index, select the checkbox and enter the Splunk index name.
HTTP Collector HTTP Collector URL
AWS S3 AWS IAM Role ARN
AWS S3 Bucket Name
AWS S3 Bucket Region
AWS S3 Bucket Directory Path
(Optional) To use External ID, select the checkbox and enter the External ID.
AWS SQS AWS SQS Queue URL
Azure Log Workspace Azure Log Workspace ID
Azure Log Workspace Shared Key
TCP TCP Host
TCP Port
Google Chronicle Customer ID - Unique identifier (UUID) corresponding to your Chronicle instance.
Account Region - Region where your Chronicle instance is created.
Credentials JSON - Google Service Account credentials.
Note - If the Credentials JSON is not available, contact Google support.

Ingestion API - Google Chronicle Ingestion API type

  • Unified Data Model (UDM) event
  • Unstructured log

 

Forwarding Logs in Syslog Format

  • Syslog messages are RFC 5424 compliant.
  • If you need to limit the syslog message size, select the Limit syslog message format checkbox, and under Limit syslog message length (bytes), enter the message limit in bytes.
    syslog-format
  • If you need to add authentication token to all the syslog messages, enter the token under Token (optional).
  • If you want to use your organization's own Certificate Authority certificate (CA certificate) with the TCP transport method, contact Avanan Support.

Supported Security Events for SIEM

Avanan supports to send these security events to the integrated SIEM platforms:

  • Phishing
  • Suspected Phishing
  • User Reported Phishing
  • Malware
  • Suspected Malware
  • Malicious URL
  • Malicious URL Click
  • DLP
  • Shadow IT
  • Spam

Notes:

  • Avanan generates logs for each one of these security events.
  • Avanan does not add sensitive data to the DLP SIEM logs.

For more details about configuring AWS S3 to receive logs from Avanan, see Configuring AWS S3 to Receive Avanan Logs.

For more details about configuring AWS S3 to send logs to Splunk, see Configuring AWS S3 to Send Avanan Logs.

Recommended Configuration for known SIEM Platforms

Avanan can integrate with a large number of SIEM platforms.

Note - If you need help in configuring your SIEM platform to integrate with Avanan, contact Avanan Support.

These are the recommended configuration for some of the SIEM platforms.

SIEM Platform

Transport Method

Log Format

Splunk

Splunk HTTP Event Collector (HEC)

  • HTTP Event Collector Host / URI - Host or URI value from Splunk HEC configuration
  • HTTP Event Collector Token - value from Splunk HEC configuration

JSON (Splunk HEC/CIM compatible)

Rapid7

AWS SQS

JSON (Rapid7, <8k characters)

Sumo Logic

HTTP Collector

  • HTTP Collector URL - value from Sumo Logic

JSON

Azure Log Workspace

Azure Log Workspace

  • Azure Log Workspace ID - value from Azure configuration
  • Azure Log Workspace Shared Key - value from Azure configuration

JSON

LogRhythm

AWS S3

For the fields required for AWS S3, see Required fields for the Transport method.

If a new S3 Bucket is needed, you should follow specific instructions while configuring the S3 bucket. For more details, see Configuring AWS S3 to Receive Avanan logs.

JSON

McAfee SIEM

AWS S3

For the fields required for AWS S3, see Required fields for Transport method.

If a new S3 Bucket is needed, you should follow specific instructions while configuring the S3 bucket. For more details, see Configuring AWS S3 to Receive Avanan logs.

To receive the logs from S3 bucket to McAfee SIEM, refer to Configuration of Amazon S3 upload feature and McAfee Documentation.

JSON

Other

Avanan can integrate with any SIEM platform. If you need help in configuring your SIEM platform to integrate with Avanan, contact Avanan support.

 

Configuring Integration with Cortex XSOAR by Palo Alto Networks

Avanan allows integration with Cortex XSOAR to automatically trigger playbooks based on detected security events and other criteria. For more information about the integration, see Cortex XSOAR documentation.