How To Send Access Events (Read, Write, Delete) for Monitored Files to a SOC Team via Syslog/SIEM Integration
Description
This guide addresses the need to send file access events (such as read, write, delete) monitored by Veritas Data Insight (DI) to a Security Operations Center (SOC) or SIEM system.
How can I send file access events monitored by Veritas Data Insight to a SOC or SIEM system?
Resolution:
Context and Importance
Organizations often require file access event data to be sent to their SOC or SIEM systems for security monitoring and compliance purposes. Veritas Data Insight provides robust monitoring capabilities but does not offer direct syslog integration. The recommended approach involves using DQL reports to extract the required data and then importing it into the SOC or SIEM system.
Steps to Accomplish the Task
Step 1: Create a DQL Report
- Log in to the Veritas Data Insight console.
- Navigate to the Reports section.
- Select Create Report and choose the Custom Report option.
- Use DQL (Data Query Language) to define the report parameters that capture file access events (read, write, delete).
- Specify the monitored files or directories.
- Include relevant filters for event types and time ranges.
- Save the report configuration.
Step 2: Export the Report Data
- Run the DQL report to generate the data.
- Export the report results in CSV format.
- Ensure the CSV file includes all necessary fields for integration, such as file path, event type, timestamp, and user details.
Step 3: Import Data into SIEM System
- Transfer the exported CSV file to the system where the SIEM tool (e.g., Splunk) is hosted.
- Configure the SIEM tool to import the CSV file.
- Set up a scheduled import process to handle periodic updates (e.g., weekly).
- Map the fields in the CSV file to the corresponding fields in the SIEM system.
Step 4: Automate the Process (Optional)
- Work with your Professional Services team or account team to automate the DQL report generation and CSV export process.
- Consider scripting or using third-party tools to streamline the transfer and import of data into the SIEM system.
Additional Considerations
- Direct database querying is not supported due to the distributed data architecture of Veritas Data Insight.
- Ensure that the exported data complies with your organization's security and privacy policies.
- Monitor the data growth and adjust the import frequency or storage capacity in your SIEM system as needed.
Advantages of Using DQL Reports
- Flexibility to customize reports based on specific requirements.
- Ability to handle large volumes of data through periodic exports.
- Compatibility with most SIEM systems that support CSV file imports.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.