Contents x
    Event Collectors
    • 16 Aug 2024
    • 2 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Event Collectors

    • Updated on 16 Aug 2024
    • 2 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    The Liquit Access Manager license is required for this feature.

    A Security Information and Event Management (SIEM) solution aggregates, consolidates and sorts your data, identify threats, verifies data compliance and quickly responds to potential threats that would otherwise disrupt the business operations of your company.

    The event collector functionality lets you send out events information to the Splunk and Microsoft Sentinel external SIEM systems.

    Database

    The first row in the event collector list represents the database overview, with all the information that is collected according to your configurations. No changes can be made to it.

    Overview screen

    The overview screen provides basic information of the collector that is currently opened.

    Settings screen

    Microsoft Azure Sentinel

    Type - The type of the Azure environment, an Azure public cloud or a custom one for a region that has their own Azure environment.
    Workspace ID - The ID of your Microsoft Log Analytics workspace.
    Key - The primary key associated with your Microsoft Log Analytics workspace.
    URI - The address of the Microsoft Azure Sentinel server.

    For more information, see Microsoft Sentinel documentation.

    How to configure it

    1. You need to create a Microsoft Log Analytics workspace to get a subscription and resource group.
    2. In your new Log Analytics workspace go to Settings > Agent and copy the workspace id and primary key into Liquit Workspace.

    Splunk

    URI - The address of the Splunk server. Note that you must append the HTTP port number you can find in your Splunk instance > Edit global settings.
    Access token - The authentication token that grants access to a Splunk platform instance. You can find in your Splunk instance > Settings > Data input > HTTP event collectors
    Client certificate - The certificate must be first uploaded to Liquit Workspace.

    How to configure it

    You need to insert the URI and Access token from Splunk into Liquit Workspace. See Splunk documentation on how to set up and use HTTP Event Collector in Splunk Web.

    Event tags screen

    The event tags you create are sent to Splunk where you can use them to further filter events.

    Filter screen

    Filter Liquit Workspace events that you want to add to the SIEM system(s):

    • User login
    • User logoff
    • Distribute package
    • Install package
    • Launch package
    • Uninstall package
    • Repair package

    Enable on which entities you want to track changes through auditing:

    • Create - Create a new entity
    • Update - Update an existing entity
    • Delete - Delete an existing entity
    • Add - Add a reference between entities
    • Remove - Remove a reference between entities
    • Action - Execute something on the server, for example export a certificate

    For the PowerShell cmdlets, see Event Collector.

    Auditing screen

    View a comprehensive log of changes to this event collector, displaying the identity behind each modification.
    This screen is available only if the auditing is enabled in the Database Event Collector. For more information, see Auditing.

    Was this article helpful?
    What's Next