15.1 Understanding Integration with a SIEM Solution

Secure Configuration Manager sends information about the compliance status of an endpoint as an event to the following SIEM solutions:

Micro Focus ArcSight
Micro Focus Sentinel
Splunk Enterprise Server

Secure Configuration ManagerEach event contains applicable attributes of the endpoint, such as asset name and IP address. generates event data in near real-time, subject to latency factors such as network traffic and connectivity.

15.1.1 Understanding the Component Architecture

As shown in the following diagram, Core Services connects to the data receiver component of the SIEM solution through a TCP/IP or UDP connection. Then Core Services sends the compliance data in common event format (CEF) to ArcSight and Splunk. Core Services sends event data to Sentinel using a proprietary format that adheres to Sentinel’s taxonomy.

15.1.2 Understanding Data Storage Requirements

Secure Configuration ManagerYou can configure to attach a detailed report to each event that it sends to Sentinel. To store assessment events and reports, you should plan to have an estimated 1.7MB per event .

To help you with calculating storage needs, you might want to review System Sizing Information for Sentinel.