Applies To: WatchGuard SIEMFeeder
WatchGuard SIEMFeeder can send WatchGuard Endpoint Security data to a SIEM platform. Before SIEMFeeder sends the data, SIEMFeeder takes the data and enriches it with security intelligence. SIEMFeeder then creates a single data flow to deliver the data to a compatible SIEM server.
Administrators can use this data to help detect unknown threats, targeted attacks, and advanced malware. The data provides in-depth visibility of activity processes that run across the network structures of an organization. SIEMFeeder acts as a link between the protection software installed on your company computers and the SIEM server of your company.
SIEMFeeder does not make any changes to the settings of a monitored computer or network. The service operates within the Endpoint Security infrastructure.
The data that SIEMFeeder provides enables administrators to:
- Obtain visual information about the malware detected on a network, if the malware ran, the infection vector, and any action taken by a process.
- View the actions that processes execute from threats such as goodware or malware, and then detect any suspicious activity from applications.
- Monitor attempts to obtain confidential information and prevent the theft of that information.
- View process network connections and identify suspicious or possibly dangerous connections.
- Find all executed applications, especially those with known vulnerabilities installed on a monitored computer.
- Design plans to update software and adjust security policies.
To save bandwidth, the SIEMFeeder service sends data packets one time only.
Information Flow
Endpoint Security products monitor and collect process activity. The SIEMFeeder service enriches the activity data with security intelligence and places it in the Microsoft Azure infrastructure for collection. Event Importer, which runs on the computer of an administrator, then downloads the generated log files from Azure and uses Event Importer delivery channels to route the log files.
For more information about event logs, go to the WatchGuard SIEMFeeder Event Guide.
Event Importer can channel the log files in these ways:
- Store log files in a local or remote folder that the SIEM server of the organization can connect to.
- Send log files to an Apache Kafka queue server, where the Kafka queue server manages them.
- Send log files to a syslog server, where the files are sent to the SIEM server of the organization.
For information about Event Importer delivery channels, go to Configure Event Log Storage and Forwarding.
SIEMFeeder Architecture
The SIEMFeeder architecture consists of these components:
Computers on the network
Computers on the network that are protected by Endpoint Security products.
WatchGuard Cloud Infrastructure
The WatchGuard Cloud infrastructure stores data from the processes that run and analyzes the data to extract security intelligence.
SIEMFeeder service
The SIEMFeeder service collects events and security data and encapsulates the data in the form of log files.
Microsoft Azure infrastructure
Azure is a cloud computing platform that receives logs from the SIEMFeeder service and stores them for collection.
Event Importer
A computer on the customer network that runs Event Importer and downloads the available logs from the Azure infrastructure.
Kafka server (optional)
A computer on the customer network that manages the queue of logs it receives from Event Importer and sends them to the company SIEM server.
Syslog server (optional)
A computer on the customer network that collects the logs it receives from Event Importer and sends them to the company SIEM server.
Shared folder (optional)
A storage system on the MSSP's network where Event Importer deposits the logs in the absence of more advanced resources, such as a Syslog or Kafka server.
SIEM server
SIEM server is a customer server that receives the data that Event Importer downloads and generates dashboards that help detect suspicious processes that can pose a security threat.
Local and perimeter firewalls
Firewalls protect inbound and outbound data traffic between the computer that runs Event Importer and the Azure infrastructure.
Compatible WatchGuard Products
These WatchGuard products support the SIEMFeeder service:
- WatchGuard EDR
- WatchGuard EPDR
- WatchGuard Advanced EPDR
Service Availability
The SIEMFeeder service is always available to an administrator. If a service issue arises, WatchGuard notifies the administrator account of any service interruption.
To prevent data loss in the event of a connectivity failure, if the computer that runs Event Importer is not available, or any other issue, the service retains any undelivered generated logs for these limits:
- Maximum number of days that the Azure platform retains logs is seven days.
- Maximum amount of data that the Azure platform retains is 80 GB for each customer.