You can choose to integrate Safetica alerts with your SIEM software. Alerts sent to SIEM contain an alert type number and description of the incident.
For now, this article applies only to Safetica hosted on-premises.
To integrate alerts with your SIEM, you need the companion Safetica Maintenance Console.
Integration with SIEM can be set up individually for each alert:
- Open Safetica Maintenance Console and set up a new alert as described here.
- In the 4th step, called Reporting, you can integrate the alert with your SIEM by adding the SIEM server address and port. The SIEM server must be available from the respective Safetica server.
Alerts sent to SIEM contain an alert Type number and the description of the incident.
Below, you can see an example of a Safetica log sent to SIEM:
Safetica@1 Id="92334" Type="103014" User="John Smith" Computer="PC101" Details="Unprotected sensitive data leaving the endpoint. Data categories: None. This alert was sent when a large volume of categorized data not protected by DLP policies had left the endpoint. Further data may have left after the alert was sent. (Rules: eMail)"
When creating a parser or categorizing the alert Type number via SIEM, the Type number has to be translated based on these tables:
| Type number | Alert |
| 103012 | DLP policy violation |
| 103013 | Cumulative DLP policy violation |
| 103014 | Unprotected sensitive data leaving the endpoint |
| 103015 | Unprotected sensitive data leaving the endpoint to a specific destination |
| 101002 | Website access denied |
| 102001 | Application access denied |
| 104001 | Unknown external device connected |
| 104002 | External device connection blocked |
| 107001 | Safetica Client stopped unexpectedly |
| Type number | Alert |
| 200009 | Files moving or copying on USB disk |
| 200020 | Files uploaded to cloud |
| 200021 | Tagged files uploaded to cloud |
| 200022 | Tagged files sent via e-mail |
| 200001 | Time spent on web categories |
| 200002 | Received e-mails count |
| 200003 | Sent e-mails count |
| 200004 | Data downloaded |
| 200005 | Data uploaded |
| 200006 | Time spent on application categories |
| 200010 | Printed documents count |
| 200011 | Printed pages count |
| Type number | Alert |
| 106002 | Wrong password to Safetica inserted multiple times |
| 300001 | Database size is near the maintenance limit |
| 300002 | Categories update failed |
| 300003 | Unexpected termination of Safetica Management Service |
| 300008 | Insufficient space on drive for databases |
| 300005 | Scheduled task failed |
| 300006 | Incorrect license status |
| 300004 | Disk space of server data folder is running low |
| 300009 | Certificate alerts |
| 300010 | SMS threats |
| 300011 | FortiGate sync error |
Encoding of alerts with special characters
If you use certain accent characters in your alerts, we suggest setting up the UTF-8 multibyte encoding in your SIEM. You can also choose not to use these characters.