Security Information and Event Management (SIEM) Integration

This feature is only available in Counterspy Standard and Premium.

You can easily integrate your existing Security Information and Event Management (SIEM) system with Verimatrix Counterspy. Integration allows Verimatrix Counterspy to send selected monitored events to your SIEM.

Prerequisites

Your SIEM system is one of the following:
- Elastic Security Solution SIEM
- Splunk Cloud SIEM
- IBM Security QRadar SIEM
The SIEM endpoint is up and running in your environment.
Your SIEM endpoint credentials are available.
If there is an active firewall in your environment, the SIEM endpoint port must be open:
Verimatrix Counterspy runs in the AWS cloud, so AWS source addresses must be whitelisted. You can find AWS IP address ranges at https://ip-ranges.amazonaws.com/ip-ranges.json.

To Integrate Your SIEM

Log in to Verimatrix Platform.
On the left navigation bar, go to Counterspy -> Overview.
On the right-hand side click SIEM status in the SIEM Integration panel.
On the right-hand side click SIEM status in the SIEM Integration panel.
Select the SIEM type from the available options in the drop-down menu.
Depending on the selected SIEM type, fill in the Cloud ID / Hostname or IP address field.
Fill in the Endpoint index field, where events should be sent.
Click the Update Credentials label. Depending on the selected SIEM type, fill in the User Name and Password or API Access Token fields.
Select the Minimum Score value, which is the calculated minimum risk score that triggers a SIEM event.
Select the Event Types values. Event types trigger a SIEM event.
Click the Check Settings button to confirm if a connection can be established with the SIEM endpoint.
Click Save.

To Disable SIEM Integration

Log in to Verimatrix Platform.
Go to Counterspy -> Dashboard.
Set the SIEM Integration option to Disabled.
Click Save.

NOTE Credentials are optional, unless you want to:

Perform a new SIEM integration

Confirm if a connection can be established with the SIEM endpoint