# SIEM Integration

It is possible to integrate your dope.swg with whichever SIEM tool your organization is using. We provide two methods for integration using an AWS S3 bucket or HTTP Integration.

## Method 1. AWS S3 Integration

Simply provide dope.security with the location of your organization's AWS S3 Bucket where we can send all web transactions from each dope. endpoint.

Each dope.endpoint sends all web transactions for that endpoint to the dope.cloud every 15 mins. Once SIEM Integration is enabled the dope.cloud will ensure all of this log data is sent to your organization's AWS S3 bucket as it is received from the dope.endpoint.

The data is sent to the AWS S3 Bucket in a compressed GZIP format. This data can then be ingested into whichever SIEM product your organization is using.

### S3 Bucket Name

The first step to configure SIEM integration is to navigate to the Settings ➔ SIEM page. From here, you must provide the name of the AWS S3 Bucket to which you want the dope.cloud to send the log data.

<figure><img src="https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2F2yMuHdf6f5drAGG9dvNl%2Fsiem_s3.png?alt=media&#x26;token=f8360ced-6f6d-4a64-84a3-9afa6232f682" alt=""><figcaption><p>Ensure your S3 bucket is in the location shown on the right-hand side (<em>US-EAST-2</em> in this example)</p></figcaption></figure>

{% hint style="danger" %}
Your AWS S3 Bucket must be in the AWS region noted on the right-hand side of the SIEM integration page on the right-hand side (above).

e.g. *US-EAST-2* should have a *US-EAST-2* S3 Bucket location
{% endhint %}

{% hint style="danger" %}
Your AWS S3 Bucket should not have KMS encryption enabled (unsupported at this time)
{% endhint %}

### Configuring the AWS S3 Bucket Policy

The AWS S3 bucket that you want to log data to be sent to must be configured to give the dope.cloud write access.

Within the SIEM integration page on the right-hand panel, dope.security has provided the policy that the AWS S3 Bucket needs to be configured with. You need to copy and paste this policy and use it to configure the organization’s AWS S3 Bucket.

<figure><img src="https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2FEljc3NBNzYDIl4KKx25E%2Fsiem_s3_copy.png?alt=media&#x26;token=c5eadc0a-7d41-4f47-ad3a-01a570f9649d" alt="" width="375"><figcaption></figcaption></figure>

### Synchronise

Once the AWS S3 Bucket is configured correctly return to the Settings ➔ SIEM Page and simply click the Sync Button <img src="https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2Fz92AhSflE5uOc3uOkXT4%2FSync.png?alt=media&#x26;token=a8d00d5f-8b96-471f-abbe-bb1c8c33e8f5" alt="" data-size="line">

When everything has been configured correctly a successful synchronization will be clearly indicated on the SIEM page.

A green tick will appear next to the AWS S3 Bucket name and the last synchronization time will appear on the top right of the page.

![Successful Synchronization](https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2FR7EwVmXNKEUYuFtb3rHD%2Fsiem_s3_active.png?alt=media\&token=639385e0-91e8-49df-b2a7-085578edc186)

{% hint style="danger" %}

### Synchronization Errors

Where the synchronization fails it will be because of one of the following errors:

* AWS S3 bucket not found
* AWS S3 Bucket needs to be in Data Residency Region &#x20;
* AWS S3 access policy is not set
* AWS S3 access policy is incorrect.

The synchronization failure will be clearly indicated on the SIEM page.
{% endhint %}

{% hint style="warning" %}

### Connection Lost

It is possible that the connection to the AWS S3 Bucket could get lost. This will result in log data not getting sent to the organization’s AWS S3 Bucket. The reasons for a lost connection be because of one of the following errors:

* AWS S3 bucket not found
* AWS S3 Bucket needs to be in Data Residency Region &#x20;
* AWS S3 access policy is not set
* AWS S3 access policy is incorrect.

The SIEM Integration page will clearly indicate that the connection is lost and will indicate the possible reasons.
{% endhint %}

![SIEM Page Lost Connection](https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2FRmRNOaOiPszGVoqJEXCc%2Fsiem_s3_lost.png?alt=media\&token=4436b1b3-78ff-4f7a-8689-ed6932d2086e)

The Audit Log will have an event posted that shows the number of files that have not been sent to the organization's AWS S3 Bucket.&#x20;

When connection to the AWS S3 Bucket is restored then the SIEM page will again indicate that the synchronization was successful. There will also be a connection returned event added to the Audit Log.

### Log Data Format

The data is sent in JSONL format below you can find the JSON Schema and an example JSONL file.

{% file src="<https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2FyxqKNbErtPjxopAlDLzx%2FDope-SIEM-Schema.json?alt=media&token=29f3d3b5-1aeb-4d69-afb8-7bf003279240>" %}
Schema File
{% endfile %}

{% file src="<https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2FvHzIcMpov8sb4Oei5jzH%2FSIEM%20JSONL%20Example.json?alt=media&token=71b94cd8-b326-4f62-be41-b03ebd68a272>" %}
SIEM JSONL Example
{% endfile %}

Below is a description of each parameter in the JSONL file:

<table><thead><tr><th width="253">Parameter</th><th>Description</th></tr></thead><tbody><tr><td>Timestamp (ISO 8601 time format) </td><td>The timestamp of when the web transaction was requested</td></tr><tr><td>Duration </td><td>The duration that the connection was open for, this is in milliseconds</td></tr><tr><td>Matched Destination </td><td>The domain that the dope category was matched against</td></tr><tr><td>Destination IP </td><td>The destination IP address for the requested URL</td></tr><tr><td>Tenant ID </td><td>The customers dope.cloud unique tenant ID</td></tr><tr><td>Agent ID </td><td>The unique agent ID for the dope.endpoint where the data is being sent from</td></tr><tr><td>User </td><td>The logged in user on the dope.endpoint</td></tr><tr><td>OIDC User </td><td>The email address for the authenicated user on the dope.endpoint. Only shown when OIDC authentication is enabled</td></tr><tr><td>Categories </td><td>The matched <a href="siem-integration/category-and-verdict-mappings">dope category numbers</a> for the requested URL</td></tr><tr><td>Verdict </td><td>The policy verdict for the requested URL. This can be Allow (0), Block (1), Warning (2) or Bypass (3) where the URL is part of a policies bypass list.</td></tr><tr><td>Data Sent </td><td>The amount of data sent in the connection</td></tr><tr><td>Data Received </td><td>The amount of data received in the connection</td></tr><tr><td>Policy Type </td><td>The type of policy that was applied to the URL.This can be either Web, Cloud Application Control (CAC), Custom Category, Bypass or Malware.</td></tr><tr><td>Block Detail</td><td>Populated for a block verdict. It will be either a dope category, a custom category, Cloud Application or a malware type.</td></tr><tr><td>Filename </td><td>The name any file downloaded.</td></tr><tr><td>File Hash </td><td>The file hash for the downloaded file</td></tr><tr><td>Process Name </td><td>The name of the process making the URL request.</td></tr><tr><td>URL </td><td>The complete requested URL</td></tr><tr><td>Policy Name</td><td>The name of the policy applied</td></tr><tr><td>Protocol</td><td>Protocol used, e.g.: HTTP/2, HTTP/1.1</td></tr><tr><td>Hostname</td><td>Device hostname</td></tr><tr><td>HTTP Request Method</td><td>HTTP Request Method e.g. Put</td></tr><tr><td>Process Call Tree</td><td>Shows the parent-child relationships established via process spawn operations, also includes the command arguments</td></tr></tbody></table>

## Method 2. Configuring the HTTP Integration

Currently DOPE HTTP Integration supports the following SIEM tools:

* Splunk
* QRadar
* Taegis
* MS Sentinel
* Crowdstrike

### Splunk

To configure Splunk, you must have the HTTP Event Collector (HEC) URI and the token. The steps to obtain these can be found in [**Splunk's Enterprise Documentation: Set up and use HTTP Event Collector in Splunk Web**](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector).

In the dope.console, navigate to Settings ➔ SIEM ➔ SIEM Integration Settings ➔ HTTP. From here select "Splunk" as the SIEM type and update the HEC URI and the HEC token in the following SIEM HTTP settings page of the dope.console and sync.

<figure><img src="https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2FtN53OyyGVdr5RlxxMKUh%2Fsiem_s3_splunk.png?alt=media&#x26;token=21e59679-1c57-43d4-a1b0-c18de4a63dee" alt=""><figcaption></figcaption></figure>

In order to confirm that the sync is successful, you should see a couple of sample records in your SIEM as a validation test.

### QRadar

To configure Taegis, you must have the Taegis integration URL and the integration key. The steps to obtain these can be found in [**IBM's QRadar Security Intelligence Platform Documentation: HTTP Receiver protocol configuration options**](https://www.ibm.com/docs/en/dsm?topic=options-http-receiver-protocol-configuration).

In the dope.console navigate to Settings ➔ SIEM ➔ SIEM Integration Settings ➔ HTTP. From here select “QRadar” as the SIEM type and update the integration URL and the integration key and sync.

<figure><img src="https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2FGjwRtaL0wueDl7KkAqV3%2Fsiem_s3_qradar.png?alt=media&#x26;token=30084636-f87b-4a07-8966-fd475135ee41" alt=""><figcaption></figcaption></figure>

In order to confirm that the sync is successful, you should see a couple of sample records in your SIEM as a validation test.

### Taegis

To configure Taegis, you must have the Taegis integration URL and the integration key. The steps to obtain these can be found in [**Securework's Documentation: Configure HTTP Ingest**](https://docs.taegis.secureworks.com/integration/connectCloud/http_ingest/).

In the dope.console navigate to Settings ➔ SIEM ➔ SIEM Integration Settings ➔ HTTP. From here select “Taegis” as the SIEM type and update the integration URL and the integration key and sync.

<figure><img src="https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2F1tPsnQijwSFNHaBVTzPy%2Fsiem_s3_taegis.png?alt=media&#x26;token=e9f960ff-c498-4253-9550-fbdb7cab8652" alt=""><figcaption></figcaption></figure>

In order to confirm that the sync is successful, you should see a couple of sample records in your SIEM as a validation test.

### MS Sentinel

To integrate with Microsoft Sentinel using HTTP, you'll need to utilize the Azure Monitor Logs Ingestion API. The steps to configure this can be found in [**Azure Monitor's Documentation: Logs Ingestion API in Azure Monitor**](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview)

#### **Azure Prerequisites:**

> 1. Register a **Microsoft Entra application** → copy **Tenant ID**, **Client ID**, and generate a **Client Secret**.
> 2. Create or select a **Log Analytics workspace**.
> 3. Add a **Custom table** called `DopeSwg_CL`; keep the default “Custom-DopeSwg” stream name.
> 4. Create a **Data-Collection Endpoint (DCE)** in the same region.
> 5. Create a **Data-Collection Rule (DCR)** that routes the `Custom-DopeSwg_CL` stream to your workspace. Record the **DCR immutable ID**.
> 6. Open the DCR → **Access control (IAM)** → add the Entra app to the **Monitoring Metrics Publisher** role (scope = this DCR)

{% hint style="success" %}
Ensure that your Entra App has the Monitoring Metrics Publisher Role
{% endhint %}

#### **Configure dope.console:**

In the dope.console navigate to Settings ➔ SIEM ➔ SIEM Integration Settings ➔ HTTP.&#x20;

<figure><img src="https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2F0IpfHSej3G0uhdxWFyPQ%2Fsiem_s3_mssentinel.png?alt=media&#x26;token=5b3e2166-2786-4a7d-92d0-23bba53abcc7" alt=""><figcaption><p>Select “MS Sentinel” as the SIEM type</p></figcaption></figure>

Confirm the sync is successful when you see two sample validation records in your SIEM

### Crowdstrike

To configure Crowdstrike, you must create a HEC Connector within your Crowdstrike console. First login to your Crowdstrike console and go to Data Onboarding. Then add a HEC Connector and add the dopesecurity-swg parser. Once this is saved you will be provided with an API key and an API URL, copy these so you can add them to the SIEM configuration in the dope console.

In the dope.console, navigate to Settings ➔ SIEM ➔ SIEM Integration Settings ➔ HTTP. From here select "Crowdstrike" as the SIEM type and update the API Token and the API URL token in the following SIEM HTTP settings page and sync.

<figure><img src="https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2F5Bo7MbeerIu30At8iUYD%2Fsiem-crowdstrike.png?alt=media&#x26;token=7eec13d6-0704-425d-a9c4-9b372d8350fa" alt=""><figcaption></figcaption></figure>

In order to confirm that the sync is successful, you should see a couple of sample records in your SIEM as a validation test.

### Datadog

To configure Datadog, you must have the Datadog API URL andAPI key. The steps to obtain these can be found in the user profile page here [https://app.datadoghq.com](https://app.datadoghq.com/).&#x20;

Once you have these in the dope.console navigate to Settings ➔ SIEM ➔ SIEM Integration Settings ➔ HTTP. From here select “Datadog” as the SIEM type and update the API URL and the API Key and then select sync.

<figure><img src="https://4250118259-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqdf21diS0j19gSMF9LeP%2Fuploads%2FZvIryhC8djQARRHw3MOb%2Fimage.png?alt=media&#x26;token=fc3643f0-bb1d-4538-afd5-bc6b2e9351d3" alt=""><figcaption></figcaption></figure>