Configure SIEM Settings

Configure SIEM settings in PMC to send audit event data to an accessible S3 bucket. Events include computer, activity, and authorization request. Events are sent to the same S3 bucket in the selected format (CEF or ECS).

You must configure the S3 bucket details before you can configure the SIEM integration in PMC. In AWS, set up the bucket and access to the bucket. This includes:

  • Create a bucket. When creating the bucket be sure to note the bucket name and region. You need to enter the information when configuring the settings in PMC.
  • Create an access policy. When creating the access policy, the permissions required for the integration include: PutObject, ListAllMyBuckets, GetBucketAcl, and GetBucketLocation.
  • Add a user. When attaching a user to a policy, be sure to select Programmatic access as the access type and Attach existing policies directly as the permission type. Copy the Access ID and secret access key to a file; you need to enter the details when configuring the settings in PMC.

For more information, please see the following AWS documentation:

Configure Your SIEM Tool in PMC

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. Enter the details for your storage site:
    • Access Key ID: Enter the value created when you added the user.
    • Secret Access Key: Enter the value created when you added the user.
    • Bucket: Enter the name of the S3 bucket.
    • Region: Select or search for the name of the region where your storage bucket resides.
    • SIEM Format: Select a message format to export data to an AWS S3 bucket: CEF - Common Event Format or ECS - Elastic Common Schema.
  1. Select Server-Side Encryption to encrypt files sent to the S3 bucket using the default AWS encryption key.
  2. Click Validate Settings to test the connection to your storage site.
  3. Click Save Settings.

If you no longer want the SIEM integration active, click Enable SIEM Integration to turn the feature off.

Events are queued and sent in batches in one minute intervals. This is not configurable. A folder is created where the batches will be saved. You can open and download the batch file, which stores the event data in JSON format.