- Deployment
- Authentication
- Manage User Accounts in Exabeam Cloud Connectors
- Generate a Hashed Password for the Exabeam Cloud Connectors Platform
- Replace the Default Clear-Text Passwords Mechanism with Hashed Passwords for Exabeam Cloud Connectors
- Install and Renew an SSL Certificate on the Cloud Connector Platform
- Add an SSL Certificate to the Cloud Connector Trusted Certificates Store Using a Script
- Add an SSL Certificate to the Cloud Connector Trusted Certificates Store Manually
- LDAP Authentication
- Active Directory Authentication
- Disable Sync Users and Groups Configuration
- Log Forwarding
- Docker Management
- High Availability
- Monitoring
- Security
Log Forwarding
Add a SIEM to the Exabeam Cloud Connectors Platform
You can add a SIEM with Exabeam Cloud Connectors 2.1.22 and later releases. If you are using an older version of the Exabeam Cloud Connectors Platform, we highly recommend to upgrade to the latest one. If you do not know which version you are using, see Find the Version of your Exabeam Cloud Connectors Platform.
Select SETTINGS > SIEM INTEGRATION and click ADD SIEM.
Define the SIEM parameters:
Name – Enter a descriptive name to identify the SIEM. For example Primary SIEM.
Host – Enter the SIEM IPv4 address or DNS name. For examples: 10.0.0.2 or mysiem.corp.net.
Port – Enter the port used by the SIEM to retrieve syslog events. For example 514.
Protocol – Choose the protocol to use (TCP, UDP, or TLS) for the syslog channel with the SIEM.
Message Format – Choose the syslog specification that is appropriate for your SIEM requirements. Use the default of RFC 5424 unless you require the deprecated RFC 3164 format. For RSA NetWitness, use the RFC 3164 SHORT option.
Activate – (Single-tenant mode only) When single-tenant mode is used, Exabeam Cloud Connectors automatically detects and prompts you to activate the new SIEM. On activation, the SIEM is attached to the default-tenant. If you do not want to use the SIEM immediately, choose NO.
Click TEST CONNECTION to send a test syslog event to the SIEM using the specified settings.
For TCP/TLS, if the test is successful and the target SIEM accepts the test event, you should see a message similar to the following:
As an alternate method of verification, you can search your SIEM for a syslog/CEF event where:
cef_name = "Skyformation-test SIEM settings event"
SAVE your changes.
Globally Send All Events Directly to the SIEM
Select Settings > Advanced.
Navigate to your tenant/settings.
Create an entry named
connectors-sync-settingsin/sk4/tenants/default-tenant-id/settings/.In the body of the entry, enter the following JSON:
{ "user-identity-assignment": null, "failover-enabled": true, "global-sync-target": "siem" }