User GuideDocumentationAPI Documentation

SIEM

Locktera SIEM Integration DocumentationCopied!

Locktera provides integration with Security Information and Event Management (SIEM) systems to enhance security monitoring, threat detection, and incident response. SIEM integration enables organizations to centralize the collection and analysis of events generated within Locktera. This document explains how to integrate Locktera with your SIEM platform and outlines the key features and configuration steps.

Key Features of SIEM Integration

  • Centralized Monitoring: Aggregate Locktera security events and logs into a central SIEM platform for real-time monitoring and analysis.

  • Threat Detection: Detect suspicious activities and potential security threats by analyzing Locktera events alongside other security data.

  • Customizable Log Data: Select the types of events to be forwarded to the SIEM system based on your organization's security needs.

Supported SIEM Platforms

Locktera supports integration with major SIEM platforms, including but not limited to:

  • Splunk

  • IBM QRadar

  • ArcSight

  • Elastic SIEM

  • LogRhythm

  • Azure Sentinel

  • Sumo Logic

Prerequisites

Before setting up SIEM integration, ensure the following:

  1. SIEM Platform: A SIEM platform should already be set up and configured in your organization.

  2. Access to Locktera: Administrative access to Locktera is required to enable and configure SIEM integration.

  3. API Access: Ensure that API integration or log ingestion features are enabled in your SIEM platform.

  4. Log Forwarding Mechanism: Locktera uses standard syslog, API-based integration, or direct log forwarding for SIEM platforms. Ensure your SIEM system can accept incoming log data via these methods.

Types of Events Available for SIEM Integration

Locktera can send various types of security-related events to your SIEM system. Key event types include:

  • User Authentication Events: Success and failure login attempts, multi-factor authentication (MFA) activity, OAuth login events.

  • Administrative Actions: Creation, deletion, or modification of users, roles, and permissions.

  • File Access Logs: Access, modification, deletion, and sharing of files and folders.

  • Configuration Changes: Changes to organizational settings, SSO, API keys, and cloud storage configurations.

  • Security Events: Detection of unusual login patterns, IP whitelisting, and usage of the Kill Switch feature.

  • Audit Logs: Comprehensive logging of user and system activities.

Step-by-Step Integration Process

Step 1: Enable SIEM Integration in Locktera

  1. Log in to Locktera with an administrative account.

  2. Navigate to Settings > Security & Logs > SIEM Integration.

  3. Click Enable SIEM Integration to activate log forwarding to your SIEM platform.

Step 2: Configure SIEM Integration Settings

After enabling SIEM integration, configure the settings as follows:

  1. Log Destination: Specify the destination endpoint for your SIEM system. This could be:

    • Syslog Server: If using a syslog server for log forwarding, enter the server address and port.

    • API Endpoint: If using an API-based SIEM system, enter the API URL and authentication details (API keys or tokens).

  2. Log Format: Select the log format supported by your SIEM system. Locktera supports the following formats:

    • Syslog (RFC 5424)

    • JSON (Structured log format)

    • CEF (Common Event Format)

  3. Event Filters: Choose the event types you want to forward to the SIEM system (e.g., user login events, administrative actions, file access logs).

  4. Rate Limits and Throttling: Configure rate limits to control the frequency of log transmission to prevent overloading the SIEM system.

  5. Test Integration: Use the Test Connection button to verify that Locktera can successfully forward events to your SIEM platform.

Step 3: Configure SIEM to Ingest Locktera Events

After configuring Locktera, set up your SIEM platform to ingest logs from Locktera:

  1. Add Log Source: In your SIEM system, configure a new log source for Locktera logs.

    • For syslog-based integration, add the Locktera server as a syslog source.

    • For API-based integration, configure an API connector or plugin to receive Locktera logs.

  2. Define Log Parsing Rules: Ensure that the SIEM system can parse the incoming Locktera log format (Syslog, JSON, or CEF). Create custom parsing rules if necessary.

  3. Correlate Events: Use your SIEM’s event correlation engine to analyze Locktera events in conjunction with other security data from across your organization.

Step 4: Set Up Alerts and Dashboards

Once the integration is established, you can create alerts and dashboards in your SIEM system to monitor security events from Locktera:

  • Create Alerts: Set up SIEM rules to trigger alerts based on specific events or thresholds (e.g., multiple failed login attempts, administrative actions).

  • Monitor Dashboards: Use the SIEM dashboard to view and analyze Locktera events in real time.

Example Configuration for Splunk

Here’s an example of how to integrate Locktera with Splunk using syslog:

  1. Enable Syslog Input in Splunk:

    • In Splunk, go to Settings > Data Inputs > Syslog.

    • Add a new syslog data input, specifying the port (e.g., 514) for receiving Locktera logs.

  2. Configure Locktera Syslog Output:

    • In Locktera, navigate to Settings > SIEM Integration.

    • Choose Syslog as the output method and enter the Splunk server address and port.

  3. Test and Verify:

    • Use the Test Connection option in Locktera to send a test log to Splunk.

    • In Splunk, verify that the log appears in the syslog index.

  4. Create Splunk Queries:

Use Splunk queries (SPL) to search and analyze Locktera events, such as:
makefile
CopyEdit
index=syslog sourcetype="locktera"

  • Create dashboards for real-time monitoring of Locktera security events.

Example Configuration for Azure Sentinel

Here’s an example of how to integrate Locktera with Azure Sentinel using API-based log ingestion:

  1. Create a Custom Data Connector in Azure Sentinel:

    • In Azure Sentinel, navigate to Data connectors and create a custom connector for Locktera.

    • Obtain the API ingestion endpoint and credentials from Azure Sentinel.

  2. Configure Locktera API Output:

    • In Locktera, navigate to Settings > SIEM Integration.

    • Choose API as the output method and enter the Azure Sentinel ingestion URL and API key.

  3. Test and Verify:

    • Use the Test Connection option in Locktera to send a test log to Azure Sentinel.

    • In Azure Sentinel, verify that the event appears in the Logs section.

  4. Set Up Alerts and Playbooks:

    • Create custom analytics rules in Azure Sentinel to trigger alerts based on Locktera events (e.g., failed logins, administrative changes).

    • Optionally, configure automated playbooks to respond to specific events.

Security and Compliance

  • Data Encryption: All log data transmitted between Locktera and the SIEM system is encrypted using TLS to ensure data confidentiality.

  • Access Control: Ensure that only authorized users and systems have access to Locktera’s SIEM integration settings and transmitted logs.

  • Audit Logs: Locktera maintains its own audit logs for configuration changes and log transmission, providing an additional layer of security.

Troubleshooting

1. No Logs Appearing in SIEM

  • Check the network configuration to ensure that Locktera can reach the SIEM system.

  • Verify that the SIEM system is accepting logs on the specified port or API endpoint.

  • Review any firewall or security settings that may block log transmission.

2. Invalid API Credentials

  • Ensure that the correct API key or authentication token is configured in Locktera.

  • If using Azure Sentinel or a similar platform, regenerate the API credentials if needed.

3. Log Parsing Errors

  • Ensure that the log format (Syslog, JSON, CEF) is correctly configured in both Locktera and the SIEM system.

  • Review and adjust custom log parsing rules in the SIEM platform.

FAQs

Q1: Can I integrate Locktera with multiple SIEM platforms simultaneously?

A: Yes, Locktera allows you to configure multiple SIEM integrations. You can send logs to more than one SIEM system at the same time by setting up multiple log forwarding configurations.

Q2: Can I filter specific event types for SIEM forwarding?

A: Yes, Locktera allows you to filter which types of events are sent to the SIEM platform. You can configure event filters to only forward critical events, such as user authentication, file access, or administrative actions.

Q3: How often are logs forwarded to the SIEM system?

A: Log forwarding can be configured in real-time or batched based on your organization's requirements. Real-time forwarding sends logs as soon as events occur, while batched forwarding can be configured to send logs at regular intervals.