Summary: Enabling and initial setup of the Huntress Managed SIEM tool as an admin in the Huntress portal.
Configure Log Sources (Windows Event Logs)
Configure Log Sources (Generic Syslog (Local))
Configure Log Sources (Other Vendors)
1. Firewall
3. Cloud
Start the Trial
1. Once the trial option has been set up for you, you can enable the trial via the Active Trials (Trial Manager) in the Huntress portal.
Select SIEM and choose "Start Trial"
2. Once enabled, you will receive a "Trial Starts for SIEM" message.
3. Navigate to the SIEM Dashboard on the left hand panel under "SIEM" to refresh the page
4. Within 2-3 minutes, the "Configure" option for SIEM should appear. Choose the "Configure" option to set up the log collection. Usually much faster.
Configure Log Sources (Windows Event Logs)
You can control this with granularity by doing the following:
From the "Configure" tab under SIEM
1. Choose "Windows Event Logs"
2. If you wish to disable this for ALL organizations, simply turn Windows Event Logging Collection off (the left hand side towards the bottom of the page).
a. If you wish to exclude ANY organizations, use the "Add Override" option to exclude organizations using the "DISABLED" option. While not required, it may be beneficial to add in any overrides first before enabling the log collection feature.
b. Optionally, you can set an organization to "ENABLED" using the same "Add Override" button to ensure log collection is enabled for that organization.
3. Additional organizations will be added automatically if they were not set to Disabled. Windows Event Logs will begin collection within a few hours. If logs have not started collecting after 24 hours, please reach out to Huntress support.
Configure Log Sources (Generic Syslog (Local))
In this section we will configure a Huntress Agent to listen for syslog messages (a logging standard not associated with Microsoft or Windows). Once this is enabled, you can point your firewall to that agent and the agent will collect and send those messages to Huntress Managed SIEM.
From the "Configure" tab under SIEM
1. Choose "Generic Syslog (Local)"
2. In the top right, choose "Add Syslog Agent"
3. Select an organization and a host and hit "Save" once selected
4. The selected organization and hostname will appear under "Enabled Syslog Agents" with a few minutes.
Generally, only one endpoint needs to be added per organization. As syslog information is for collecting Firewall data, adding additional endpoints would result in an excess of data log collection.
Configure Log Sources (Other Vendors)
We are continuing to add additional resources, like Cisco Meraki Firewall, Duo, Keeper, Microsoft Azure, Google Cloud, and Amazon Web Services. Selecting the associated option under "Configure" once these become available will allow you to "Add" these additional resources. Stay tuned!
Firewall
Enable Firewall Logs
Please follow Enable Syslog Collection (Firewall Logs) to enable communication from your firewall to the endpoint with the Huntress Agent installed that is acting as your syslog collector. Doing so will allow the Huntress agent to upload logs to the Huntress portal.
Adding the Syslog Collector to the Huntress portal
All firewall logs are currently added to the Huntress portal via the Generic Syslog (Local) widget in the Huntress portal.
Once the source is successfully added to the Huntress portal with the proper log format, the source count will be updated under the respective widget under Firewalls. If it is not syncing properly, or if it not in the appropriate format, the source will not be updated under the proper Firewall name.
Identity/Authentication
LastPass
From the "Configure" option under SIEM
1. Choose "Last Pass"
2. Use the "Add" option on the right hand side
3. Select the Organization you wish to add the integration to and give it a Name. Optionally, add a description.
Cloud
Coming soon!
Comments
0 comments
Please sign in to leave a comment.