NetWitness Community

Anonymous · ‎2015-01-14

Hi,

I don't have the SA product or any SA documentation. I also don't see any official SA documentation (for installation, configuration, administration) on this community site. If these items are here, please help me find them. But my questions are:

1) How does SA integrate with common SIEMs? Via SOAP? Files? TCP? I am talking about SIEMs such as ArcSight, FireEye, Splunk, AlienVault, and QRadar.

2) About how long does it take to integrate a single SIEM data source into SA?

Thanks.

Anonymous · ‎2015-01-15

SA documention you can find there

https://sadocs.emc.com/0_en-us

Anonymous · ‎2015-01-15

What type of integration are you talking about? Forwarding logs, alerts, integrating the UIs to link investigations, something else?

Anonymous · ‎2015-01-15

Thank you!

Also, do you know if event sources not on the official list could theoretically be used? FireEye is on the list, but QRadar, for example, is not.

Is there a generic way to package event source information so that it can be imported by SA? So if I properly packaged event source info from QRadar it could be used with SA?

Anonymous · ‎2015-01-15

"What type of integration are you talking about? Forwarding logs, alerts, integrating the UIs to link investigations, something else?"

Alerts definitely.

Possibly forwarding logs.

Not UI integration though.

Anonymous · ‎2015-01-15

By the way, I'm on a co-workers PC, just realized I'm on his account...

Anonymous · ‎2015-01-15

I'm back on my account again.

NetWitness Community

Questions About SIEM Integration With Security Analytics