Indusface WAS integrates with all major Security Information & Event Management (SIEM) providers that integrate with Amazon S3.
With this integration, you can push logs from Indusface WAS into leading SIEM providers like SumoLogic, RSA, Splunk, and McAfee.
Given the complexity of modern architectures encompassing multiple security devices and environments, organizations increasingly rely on SIEM solutions. These solutions enable data aggregation, analysis, and visualization across diverse security systems.
Indusface’s AppTrana WAF has been offering SIEM integration for an extended period, and we are excited to introduce a seamless integration feature that allows you to feed vulnerability data from our web application scanner directly into your SIEM solution.
Indusface WAS sends the following logs into SIEM tools:
Scan logs refer to the records generated during the scanning process of a web application. These logs typically contain information about the scans performed, including details such as the date and time of the scan, the target URL or IP address and scan configurations, and any detected vulnerabilities or anomalies.
Vulnerability logs capture information related to identified vulnerabilities in a web application. These logs provide details about the specific vulnerabilities discovered during scans, such as the type of vulnerability, severity level, and affected components or systems. They serve as a valuable resource for monitoring and addressing security weaknesses in the application.
Indusface WAS sends a wide array of log data. Listed below are the key data that are common across all assessments:
Scan Logs | Vulnerability Logs |
ScanlogId ServicType ServiceId URL SealStatus TotalFoundVulnerabilities ScanStatus ScanDate | UniqueAlertId Title Severity OpenStatus FoundOn – “URL” FoundDate |
Indusface WAS customers who want to enable the SIEM log feature must set up the integration with the S3 method on the Indusface WAS >> Settings >> SIEM Configuration.
Click on the toggle button to Enable SIEM S3 Logs
The setup process for SIEM log integration entails SIEM AWS Account ID and SIEM External ID to set up a role-based access account in the Indusface AWS account:
You can get these details from SIEM tools where you want to integrate S3 logs. For instance, the following steps describe creating a collector in Sumo Logic.
In Sumo Logic, go to Manage Data >> Collection >> Collection and click Add Source
This can be an existing hosted collector or one you have created for this task. Here, we have selected our AWS source type – Amazon S3.
From Amazon S3 > > AWS Access >> Access Method, you can find the Account ID and External ID details.
Use the Account ID and External ID in the respective fields of the Indusface WAS (Showed in Step: 1) and then click on the Submit button.
Once the ARN is created successfully, WAS will automatically display the details to integrate S3 logs into SIEM.
To strengthen security measures, you must connect to your S3 bucket by using AWS Amazon Resource Name (ARN) authentication and an Identity and Access Management (IAM) role.
Go back to the Sumo Logic configuration page, and complete the integration form by filling in the appropriate details:
After you have finished the Source setup, remember to click Save to save your configurations.
Once the configuration is completed, you can view the Indusface WAS scan logs in your SIEM tool as shown below:
Configuration | Description |
Enable SIEM S3 Logs | If the button is enabled, logs will be stored. |
Disable SIEM S3 Logs | You can disable storing logs temporarily. If the button is disabled, logs will not be stored until you enable it. |
Update | You can update configuration details with new details |
Delete Configurations | You can delete the whole configuration |
SIEM is an essential tool for any SOC, and integrating DAST scanners with SIEM tools is a best practice that world-class SOC teams follow. Leverage the integration today, and for any questions, write to support@indusface.com.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
This post was last modified on March 21, 2024 18:13
Indusface has once again been recognized as a Gartner® Peer Insights™ Customers' Choice for Cloud… Read More
Protect your business from DDoS attacks with multi-layered DDoS defense, proactive threat modeling, rate limiting,… Read More
A Managed WAF is a comprehensive cybersecurity service offered by specialized providers to oversee, optimize,… Read More