So, we have this requirement to consolidate processed/normalised logs and/or alerts from various SIEM platforms, all into Splunk.
Is this a possibility with RSA SA? Does RSA SA have an option to forward processed/normalised logs and/or alerts to another SIEM platform, specifically Splunk? Can we integrate RSA SA with Splunk in this manner?
Visham
It is not a direct integration. However you could script a hourly/daily extract of the parsed data and inject the exported data into splunk.
Alerts however can be sent to Splunk as the alerts get triggered. This is done by configuring a syslog output of the rule, with the target being the splunk system.
If you wanted raw data that can be relayed out as soon as it is captured.
Hope this helps
Dave