SIEM Integration

AD360 allows you to integrate its components with SIEM solutions so that the logs generated by its components can be forwarded to the SIEM solution in syslog format for further analysis. Once forwarded, you can use your SIEM solution to correlate logs from the AD360 components with other logs in the network, as well as process, analyze, and generate reports and alerts for critical security incidents.

Note: Currently, you can integrate only the ADSelfService Plus component with SIEM tools using AD360. A centralized SIEM integration option for other components is in the works and will be available soon.

Integration steps

  • Log in to AD360 as an administrator.
  • Navigate to Admin → Administration → SIEM Integration.
  • You’ll see a table in which each row contains the SIEM integration details of a component.
  • To integrate a component with a SIEM tool for log forwarding, click the respective Configure Now link or the edit icon.
  • ad360-siem-integration

  • Select a Server Type from the drop-down. You can choose from the following SIEM tools:
  • Based on the server type you choose, the steps may vary.

Integration with Syslog servers

  • Enter the Syslog Server Name or IP Address.
  • Enter the Port number.
  • Select a Protocol from the drop-down.
  • Select the format in which you want to forward the logs to the syslog server from the Syslog Standard drop-down.
  • If needed, click Advanced to configure the severity, facility, and the date format of the logs.
  • integration-with-syslog-servers

  • Click Configure to finish the integration.

Integration with Splunk

  • Collect the HTTP event collector token of your Splunk Enterprise.
    • Log in to Splunk as an administrator.
    • Navigate to Settings → Data Inputs → HTTP Event Collector.
    • Click New Token.
    • Specify a name for the token and retain the default values for the other fields.
    • Click Save to generate the authentication token.
  • Back in AD360 SIEM Integration configuration page, enter the Server Name or IP Address of your Splunk server.
  • Enter the HTTP Event Collector Port number.
  • Choose whether SSL is enabled or disabled in the SIEM tool from the drop-down.
  • Enter the Authentication Token you generated from step 1.e.
  • integration-with-splunk

  • Click Configure to finish the integration.