Questions About SIEM Integration With Security Analytics
I don't have the SA product or any SA documentation. I also don't see any official SA documentation (for installation, configuration, administration) on this community site. If these items are here, please help me find them. But my questions are:
1) How does SA integrate with common SIEMs? Via SOAP? Files? TCP? I am talking about SIEMs such as ArcSight, FireEye, Splunk, AlienVault, and QRadar.
2) About how long does it take to integrate a single SIEM data source into SA?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Also, do you know if event sources not on the official list could theoretically be used? FireEye is on the list, but QRadar, for example, is not.
Is there a generic way to package event source information so that it can be imported by SA? So if I properly packaged event source info from QRadar it could be used with SA?
"What type of integration are you talking about? Forwarding logs, alerts, integrating the UIs to link investigations, something else?"
Possibly forwarding logs.
Not UI integration though.