You can configure Core Services to send an event to the SIEM solution when an endpoint’s assessment results exceed the risk score or compliance threshold. You can have Secure Configuration Manager attach a detailed report to each event it sends to the SIEM solution. For more information about how this might affect hardware requirements on the SIEM server, see Understanding Data Storage Requirements.
Open the Core Services Configuration Utility in Advanced mode.
For more information, see Accessing the Advanced Tab.
Click Forward Assessment Report, then complete the following steps:
For Forward Events of Assessment Result, specify Enabled.
For Destination Server, specify the URL of the SIEM server that will receive the events.
For Destination Server Credentials, specify the user name and password of the SIEM server.
(Conditional) If the SIEM server exists in a multi-tenant environment, specify the Tenant Name (or department name) for which you want to send events.
Core Services uses the default value if you do not specify a tenant name.
(Optional) Customize the settings for sending assessment events. For more information, see Customizing the Event Data Sent to the SIEM Server.
Click Advanced.
(Conditional) When integrating with ArcSight or Splunk, specify true for assessment/Thirdparty/SIEM/AppIntegration/Enabled.
(Conditional) When integrating with Sentinel, specify one of the following values for assessment/Check/Include:
Sends a report to the SIEM server for each security check that is run as part of a policy template.
NOTE:Many of the commonly run policy templates include a large number of security checks. Some policy templates have more than 100 security checks.
Sends a consolidated report to the SIEM server for each policy template that you run.
Click Apply to apply the settings.
Restart the NetIQ Core Services service.
Core Services must know the connection settings for the SIEM server.
Open the thirdpartysiem.csv file, located by default in the NetIQ\Secure Configuration Manager\Core Services\etc folder.
Add entries to the file that specify the connection settings for each SIEM server to which you want to send event data. Use the following format:
IP_address:port,protocol
For example:
162.99.123.245:524,TCP
You can configure Secure Configuration Manager to always send event data for specific policy templates and security checks.
NOTE:When users run any policy template or a security check in the console, they can select the Forward Assessment Report to Destination Server option to send out-of-compliance results to the SIEM server. For more information, see Automating Out-of-Compliance Notifications.
Log in to the Secure Configuration Manager Windows console.
Navigate to Go > Assessment Configuration.
Select the policy templates or security checks that you want to always trigger event data.
Open the Core Services Configuration Utility.
For Forward Assessment Events, specify the type of data that you want to send as assessment events:
Sends a report for each asset that Secure Configuration Manager assesses (for example, an endpoint).
If you run a policy template against 100 assets, Secure Configuration Manager sends 100 reports.
Sends a report for each policy template run.
If you run two policy templates against 100 assets in your enterprise, Secure Configuration Manager sends two reports. Each report contains information about the endpoints that were assessed.
Sends a report for each asset assessed and policy template run.
If you run two policy templates against 100 assets in your system, Secure Configuration Manager sends 102 reports: two reports that contain information about all the assets (generated for two policy templates) and 100 reports that contain information about each asset.
For Enable Events for Compliant Results, specify whether you want to send events when an endpoint’s assessment results shows as in compliance.
For Enable Events for Out Of Compliance Results With, specify whether you want to send events when an endpoint’s assessment results are out of compliance, based on the reported risk score:
Specifies that you do not want to send out-of-compliance assessment events.
Specifies that you want to send events for assessment results that report at any risk level.
Specifies that you want to send events only for assessment results that report as a medium or high risk.
Default value
Specifies that you want to send events only for assessment results that report as high-risk.
For more information about risk scores, see Understanding Risk Scoring.
For Enable Events where Results are Incomplete, specify whether you want to send events when an endpoint’s assessment results show unknown compliance.
Click Apply to apply the settings.
Restart the NetIQ Core Services service.