Ingesting Security Information and Event Management (SIEM) events

  • Updated

 

Introduction

RecordPoint supports integration with your preferred Security Information and Event Management (SIEM) system to strengthen your security posture by enabling you to monitor and react to key activities within your environment in real time. 

 

Available events

RecordPoint can provide two types of events.

1. Infrastructure events: system level activities from various sources that can be used for security monitoring. Examples include:

  • Storage account keys are regenerated (Azure)
  • Deletion actions performed per 5 minute window in storage blob (Azure)
  • Copy actions performed per 5 minute window in storage blob (Azure)
  • Azure Key Vault access TimeSeries anomaly (Backup)
  • Sensitive Azure Key Vault operations (Backup)
  • Postgres brute force attempt (PostgreSQL)

 

2. Application events: events that have occurred within the RecordPoint platform. Examples include:

  • Record modified
  • Record destroyed
  • Protected Binary Downloaded
  • Rules Created or Modified
  • Connector Created or Modified

 

Note: Events remain in the Event Hub for at least 1 day before aging out; extended retention is available upon request.

 

How to access events

  • RecordPoint will host an Azure Event Hub which contains all relevant SIEM events.
  • You must have a SIEM application (such as Azure Sentinel or Splunk) that can consume events and process them from the RecordPoint hosted Event Hub.
  • RecordPoint will provide Azure Event Hub connection details and supports a number of recommended patterns for authorisation. In most cases, organisations will use a Service Principal that will be granted Azure Event Hubs Data receiver on the relevant Event Hub.
  • If necessary, we can share an access key via secure methods.
  • When applicable, the Event Hub details you will receive are:
    • Event Hub Name: Found under Namespace Entity > Event Hubs > <Event Hub Name>.
    • Connection String: The Connection string–primary key from the <tenant>AccessKey shared access policy of the Event Hubs Namespace.

 

Example schemas

RecordPoint can provide you with the event schemas upon request. 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request