SIEM Data Transfer

Security Information Event Management (SIEM) allows you to collect volumes of data in real time so security teams can detect and block attacks. CloudStream DM SIEM Transfer feature enables you to configure the connection to the SIEM Splunk server and download SIEM logs.

CloudStream currently supports Splunk Enterprise only.

 

Preconditions
You must have an Uninstall Print&Scan Embedded App license to set up the SIEM settings. Contact Ricoh to purchase the license.

In order to transfer SIEM log data from CloudStream DM to your SIEM tool, you must allow the tool to access the CloudStream DMenvironment in your network.

Please allow connections to your network's IP addresses listed in the table below, depending on your region.

Region CloudStream DM IP Address

Europe

(*.eu.cloudstream.ricoh.com)

 20.113.73.197

North America

(*.na.cloudstream.ricoh.com)

 20.252.6.56

Asia Pacific

(*.ap.cloudstream.ricoh.com)

 20.227.2.98

Canada

(*.ca.cloudstream.ricoh.com)

20.220.243.35

You can determine the region by looking at your CloudStream DM URL.

For example, if the URL is https://mycompany.na.cloudstream.ricoh.com, this indicates that the region is North America because of na.cloudstream.ricoh.com in the URL.
A token is generated. Please see Generate HEC Token.

  1. Login as an administrator.

  2. Go to System and expand Server Settings.

  3. Click SIEM Transfer Settings.

  4. Check Enable SIEM Transfer.

  5. Enter the hostname of the SIEM solution.Enter the port number.

  6. Enter the SIEM authentication token.

  7. Click [Save].

Saving the configuration will establish a connection to the SIEM. If the connection is successful, the configuration is saved. If the connection fails, an error message is displayed, and the configuration is not saved. Please input the required fields again and click [Save].

SIEM Transfer is executed once every day at a fixed time (sequentially after UTC+0). When the transfer starts, you will see data populating in the SIEM Transfer table.

SIEM Transfer Table

The table has the following columns.

Column Header

Description

Date

Displays the date and time the data transfer started.

Status

Displays the result of the transfer.

  • Succeeded - successful data transfer.

  • Failed - data transfer failed.

  • Skipped - data transfer is skipped. When it's time to transfer data but there is no new data to be transferred, the status will display 'Skipped'.

SIEM Transfer Log Details

Displays the details of the transfer.

  • Successful transfer will display the details of the data transferred.

  • Failed transfer will display the reason for the failure.

  • Skipped transfer will display the following message: “No SIEM log data to be transferred or the additional data is not available”.

Download SIEM Data Transfer

You can download SIEM Data Transfer details into CSV file format. Click the icon in the top right corner of the table.

A CSV file containing the details is downloaded immediately. The file's name is in this format <Date and Time>_SIEMTransferLogDetails.

Filter Details

Use the filter function to find specific data transfer information.

  1. Click the icon.

  2. In the column's search box, enter the value you want to search for.

  3. Click the bottom icon or press enter from your keyboard.

The details that match your search criteria are displayed in the list.

To remove the search result list, please delete the values from the column search box, then click icon or press enter from your keyboard.

Generate HEC Token

The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. HEC uses a token-based authentication model. You must generate a token before you configure the CloudStream DM SIEM Transfer feature.

CloudStream DM only supports a SIEM tool called "Splunk Enterprise".

For Splunk Cloud Platform, to generate a token, follow the steps below:

  1. Access your Splunk Cloud Platform.

  2. Click Settings, then click [Add Data].

  3. Click monitor, then click HTTP Event Collector.

  4. In the Name field, enter a name for the token.

  5. (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.

  6. (Optional) In the Description field, enter a description for the input.

  7. (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.

  8. Click [Next].

  9. (Optional) Make edits to the source type and confirm the index where you want HEC events to be stored.

  10. Click [Review].

  11. Confirm that all settings for the endpoint are what you want.

  12. If all settings are what you want, click [Submit]. Otherwise, click < to make changes.

  13. (Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.

  14. (Optional) Click Track deployment progress to see progress on how the token has been deployed to the rest of the Splunk Cloud Platform deployment. When you see a status of "Done", you can then use the token to send data to HEC.

The steps are coming from docs.splunk.com and you can find more instructions in Splunk site.

To enable HEC for use with Amazon Web Services (AWS) Kinesis Firehose, you must file a ticket with Splunk Support. Standard HEC is enabled by default on all Splunk Cloud Platform deployments and does not require a Splunk Support ticket.

 

To generate a token for Splunk Enterprise, follow the steps below.

  1. Access your Splunk Cloud Platform.

  2. Click Settings, then click [Add Data].

  3. Click monitor, then click HTTP Event Collector.

  4. In the Name field, enter a name for the token.

  5. (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.

  6. (Optional) In the Description field, enter a description for the input.

  7. (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.

  8. Click [Next].

  9. (Optional) Make edits to the source type and confirm the index where you want HEC events to be stored.

  10. Click [Review].

  11. Confirm that all settings for the endpoint are what you want.

  12. If all settings are what you want, click [Submit]. Otherwise, click < to make changes.

  13. (Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.

The steps are coming from docs.splunk.com and you can find more instructions in Splunk site.