SOLVED

ATA Gateway SIEM Integration

%3CLINGO-SUB%20id%3D%22lingo-sub-223997%22%20slang%3D%22en-US%22%3EATA%20Gateway%20SIEM%20Integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-223997%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20my%20understanding%2C%20ATA%20Gateway%20can%20be%20fed%20in%20three%20different%20ways%3A%3C%2FP%3E%3CP%3E-Port%20Mirroring%3C%2FP%3E%3CP%3E-SIEM%3C%2FP%3E%3CP%3E-WEF%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%2C%20if%26nbsp%3Byou%20are%20using%20the%20lightweight%20Gateway%2C%20you%20do%20not%20need%20Port%20Mirroring%20or%20WEF%2C%20however%2C%20what%20are%20the%20SIEM%20logs%20used%20for%20%3F%20I%20have%20read%20that%20only%20specific%20events%20can%20be%20forwarded%20from%20the%20SIEM%20to%20the%20Gateway%2C%20is%20that%20correct%20%3F%20What%20are%20those%20events%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMarc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-223997%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-224193%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Gateway%20SIEM%20Integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-224193%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20are%20running%20all%20Lightweight%20GWs%26nbsp%3B%20%26gt%3B%201.8%20%2C%20there%20is%20no%20additional%20value%20in%20incoming%20SIEM%20traffic.%3C%2FP%3E%0A%3CP%3EATA%20will%20read%20all%20the%20needed%20events%20locally.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ESIEM%20has%20additional%20value%20in%20standalone%20GWs%20scenario%2C%20or%20in%20older%20version%20of%20ATA%20where%20we%20did%20not%20read%20event%20locally.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
marc.biessy
Occasional Contributor

Hi,

 

From my understanding, ATA Gateway can be fed in three different ways:

-Port Mirroring

-SIEM

-WEF

 

Then, if you are using the lightweight Gateway, you do not need Port Mirroring or WEF, however, what are the SIEM logs used for ? I have read that only specific events can be forwarded from the SIEM to the Gateway, is that correct ? What are those events ?

 

Thank you,

 

Marc

1 Reply
Solution

If you are running all Lightweight GWs  > 1.8 , there is no additional value in incoming SIEM traffic.

ATA will read all the needed events locally.


SIEM has additional value in standalone GWs scenario, or in older version of ATA where we did not read event locally.