SIEM Setup and User Actions
The SIEM solution requires that four organization users are organized to set the approval and export process. The users are composed of one Exporter and three Approvers. The exporter must be an administrator. The approvers may be any type of user. No one user may have dual role as Exporter and Approver - the four users must be unique.
Note
The Exporter and Approvers must be active and reliable users of the organization as their user accounts and devices are responsible for running the export process. If the users become inactive or are deleted, SIEM logs will fail to export because of missing export and approval functionality. The export of SIEM data is a decentralized, peer-to-peer operation.
Approval Group
The three approvers must be organized into an Approval Group. We suggest defining a new approval group and naming it SIEM Export.
Note that approval groups cannot be edited.
If the approvers were to change a new approval group would need to be created and the SIEM configuration reset.
Key Copy
The Exporter and the Approvers keys are to be copied in a procedure similar to Add Device. The device to be added is SIEM Ubuntu server and the server administrator will respond on the other end. For those that purchased the hosted solution with SCI, a PreVeil technician will be the server administrator. For self-hosted or local operators PreVeil will provide guidance on the Linux commands.
Alternative Accounts for SIEM service
The Exporter and Approvers can be copies of accounts for the purpose of SIEM operations. For instance, a secondary of an email address may be invited to the organization, claimed, and used as a service account. If your email provider supports external-facing alias addresses, then that address may be invited to the organization as a service account in your SIEM connector.
Changing the Exporter and Approvers
Changing the Exporter and Approvers is possible but require reset of the SIEM configuration file and the user keys on the server. This may involve recreating an approval group and does require clearing the SIEM server’s local database and redoing the key copying. For this reason, we advise to choose active and reliable users in the organization and considering the configuration permanent.
Â