Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

The SIEM solution requires that four organization users are organized to set the approval and export process. The users are composed of one Exporter and three Approvers. The exporter must be an administrator. The approvers may be any type of user. No one user may have dual role as Exporter and Approver - the four users must be unique.

Note

The Exporter and Approvers must be active and reliable users of the organization as their user accounts and devices are responsible for running the export process. If the users become inactive or are deleted, SIEM logs will fail to export because of missing export and approval functionality. The export of SIEM data is a decentralized, peer-to-peer operation.

Approval Group

The three approvers must be organized into an Approval Group. We suggest defining a new approval group and naming it SIEM Export.

Note that approval groups cannot be edited.

If the approvers were to change a new approval group would need to be created and the SIEM configuration reset.

Key Copy

The Exporter and the Approvers keys are to be copied in a procedure similar to Add Device. The device to be added is SIEM Ubuntu server and the server administrator will respond on the other end. For those that purchased the hosted solution with SCI, a PreVeil technician will be the server administrator. For self-hosted or local operators PreVeil will provide guidance on the Linux commands.

Alternative Accounts for SIEM service

The Exporter and Approvers can be copies of accounts for the purpose of SIEM operations. For instance, a secondary of an email address may be invited to the organization, claimed, and used as a service account. If your email provider supports external-facing alias addresses, then that address may be invited as a service account in your SIEM connector.

  • No labels