CLOUD SERVICES
      Back to home
      1. Safetica Knowledge Base
      2. MANAGEMENT: Manage your environment
      3. CLOUD SERVICES

      🆕☁️Cloud-hosted Safetica: How to send Safetica insights to your SIEM

      Send insights from Safetica to various SIEM systems like QRadar, Rapid7, Splunk, or FortiSIEM.

      ❗For now, this article applies only to cloud-hosted Safetica.

      Introduction

      Safetica already protects devices by detecting data-leaks and insider-threats. Sending Safetica insights to your SIEM (Security Information & Event Management) system lets you correlate them with security data from other sources (e.g., firewall, EDR, or network logs) for an even more comprehensive threat analysis.

      ✍️Safetica sends insights to your SIEM in OCSF-formatted JSONs via webhooks. This standardized format ensures compatibility across different SIEM platforms.

      Syslog is currently not supported.

      In this article, you will learn more about:

       

       

      Prerequisites

      • License: Safetica PRO or Safetica Premium.
      • SIEM system: Any SIEM system that can receive data via webhooks. This includes, but is not limited to:
        • QRadar
        • Rapid7
        • Splunk
        • FortiSIEM
      • Network connectivity between Safetica and your SIEM system.

       

       

      SIEM integration permissions

      Permissions for integrating Safetica insights with SIEM are as follows:

      • Activate or edit SIEM integration: Only Safetica admins with the Settings and configuration permission can activate or edit the SIEM integration. The permission can be enabled or disabled in Settings > Accounts and permissions.

       

       

      How to set up Safetica integration with SIEM

      1. In Safetica console, go to Cloud services and click Activate SIEM integration.
      2. SIEM server address: Enter the SIEM-specific webhook URL.
      3. Add custom headers (optional): For SIEMs that rely on unique authorization headers, you can add Header: Value pairs. Click +Add after entering each pair. Examples:
          • SIEMs with a shared URL for all environments (e.g., Splunk): You must supply unique authorization headers.
          • SIEMs with unique URLs that identify your environment (e.g., Rapid 7): No extra headers are required.

      ✍️Private parameters: Sensitive header values can be hidden under **** in Safetica console and stored encrypted in the database – just click the lock icon.

        4.  Test the connection: Click the Test connection button to verify that the connection to your SIEM works properly and that Safetica can successfully send insights to your SIEM.

        5.  Click Save. Safetica will start sending insights to your SIEM in OCSF-formatted JSONs. You can then filter, correlate, and analyze these insights in your SIEM alongside other security events.

      ✍️Safetica will send all insights (from low to high severity) to your SIEM. No further configuration is needed.

      ❗For now, only one SIEM integration can be configured at a time.

       

       

      How to edit Safetica integration with SIEM

      If you already have Safetica integrated with your SIEM and want to make changes to the integration:

      1. In Safetica console, go to Cloud services and click Edit SIEM integration.
      2. Make the necessary changes.
      3. Test the connection and click Save.

       

       

      How to remove Safetica integration with SIEM

      If you have Safetica integrated with your SIEM and want to remove the integration:

      1. In Safetica console, go to Cloud services and click Edit SIEM integration.
      2. Click Remove integration.