locked
SIEM server support RRS feed

  • Question

  • Hello,

    The ATA preview looks very interesting. The technical preview documentation states there are four supported SIEM tools. If we are NOT using one of the four named products, what expectation should we have for a working solution? 

    Stated a different way, are there some standard Syslog event formats that will feed into ATA? If so, can you elaborate on those formats?

    Thank you,

    Johnson

    Tuesday, May 12, 2015 4:12 PM

All replies

  • Hi,

    Thank you for your interest in ATA.

    We currently support only those four SIEM solutions and not any general format.

    Can I ask what is your SIEM solution? We are planning to support more solutions and yours might be one of them. 

    Sivan.

    SK


    Tuesday, May 12, 2015 5:57 PM
  • Hi Johnson,

    Just to make sure we are aligned, there are 2 types of SIEM integration:

    1. Sending suspicious activities information from ATA to SIEM

    2. Receiving events from SIEM to enrich the detection

    For option number 1, we support all SIEM brands that supports CEF format. 

    Thanks,

    The ATA Team

    Tuesday, May 12, 2015 9:24 PM
  • Sivan,

    LogRhythm is one of the SIEM products we are looking at, which was not on your list.

    Thank you.

    Wednesday, May 13, 2015 5:45 PM
  • Hi Sivan,

    We currently have Solarwinds SIEM, but are currently evaluating new SIEM solutions. Top of our list are IBM, HP, McAfee, AlienVault (Splunk), and LogRhythm.  We are basing the selection largely on the Gartner "Magic Quadrant" as of June 2014. At the moment McAfee appears to be our first choice because it will integrate with ePO logging and PCI-DSS reporting. Are any of the "Magic Quadrant" SIEM solutions planned to be integrated?  

    Additionally we currently employ Microsoft System Center Operations Manager which I am surprised is not able to interact with ATA.  Is there any plan for integration between MS SCOM and the MS ATA?



    • Edited by Xtended Wednesday, June 24, 2015 1:13 PM
    Wednesday, June 24, 2015 1:12 PM
  • We currently support HP Arcsight, Splunk and RSA Security Analytics and we are evaluating support in other SIEM solutions, mainly from the "Magic Quadrant".

    SK

    Wednesday, July 8, 2015 8:25 PM
  • Hi Johnson,

    Just to make sure we are aligned, there are 2 types of SIEM integration:

    1. Sending suspicious activities information from ATA to SIEM

    2. Receiving events from SIEM to enrich the detection

    For option number 1, we support all SIEM brands that supports CEF format. 

    Thanks,

    The ATA Team

    Hi Idan

    From the above, does Microsoft currently support Alien Vault SIEM with ATA? And if not, when will it support it or will it ever support it?

    Also what will be a workaround for a customer who currently uses an Alien Vault SIEM as I am currently faced with this at a customer's site deploying Microsoft ATA. They currently use Alien Vault as their SIEM.

    Eagerly awaiting your response.

    Regards

    Ola

    Friday, November 13, 2015 4:51 PM
  • Are there any other ways to feed data to the Center for type #2 (enrichment)? 
    Thursday, October 26, 2017 4:49 PM
  • + 1 for LogRhythm - any news or update on whether / when support for LogRhythm integration or for other SIEMS that support the LEEF format versus CEF? 
    Sunday, January 28, 2018 7:06 PM