Contents x
    Event Collectors
    • 19 Dec 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Event Collectors

    • Updated on 19 Dec 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    The Liquit Access Manager license is required for this connector.

    A Security Information and Event Management (SIEM) solution aggregates, consolidates and sorts your data, identify threats, verifies data compliance and quickly responds to potential threats that would otherwise disrupt the business operations of your company.

    The event collector functionality lets you send out events information to the Splunk and Microsoft Sentinel external SIEM systems.

    Database

    The first row in the event collector list represents the database overview, with all the information that is collected according to your configurations. No changes can be made to it.

    Overview screen

    The overview screen provides basic information of the collector that is currently opened.

    Settings screen

    Microsoft Azure Sentinel

    Type - The type of the Azure environment, an Azure public cloud or a custom one for a region that has their own Azure environment.
    Workspace ID - The ID of your Microsoft Log Analytics workspace.
    Key - The primary key associated with your Microsoft Log Analytics workspace.
    URI - The address of the Microsoft Azure Sentinel server.

    For more information, see Microsoft Sentinel documentation.

    How to configure it

    1. You need to create a Microsoft Log Analytics workspace to get a subscription and resource group.
    2. In your new Log Analytics workspace go to Settings > Agent and copy the workspace id and primary key into Liquit Workspace.

    Splunk

    URI - The address of the Splunk server. Note that you must append the HTTP port number you can find in your Splunk instance > Edit global settings.
    Access token - The authentication token that grants access to a Splunk platform instance. You can find in your Splunk instance > Settings > Data input > HTTP event collectors
    Client certificate - The certificate must be first uploaded to Liquit Workspace.

    How to configure it

    You need to insert the URI and Access token from Splunk into Liquit Workspace. See Splunk documentation on how to set up and use HTTP Event Collector in Splunk Web.

    Filter screen

    Filter what type of event information that is related to Liquit Workspace packages you want to send to the SIEM system:

    • User login
    • User logoff
    • Distribute package
    • Install package
    • Launch package
    • Uninstall package
    • Repair package

    For the PowerShell cmdlets, see Event Collector.

    Was this article helpful?
    What's Next