About ThreatSync+ NDR SIEM Integration

Applies To: ThreatSync+ NDR, Total NDR

Security Information and Event Management (SIEM) integration enables ThreatSync+ NDR to send notifications to a SIEM server through syslog in Common Event Format (CEF). With this capability, organizations can forward alerts to a central SIEM server to monitor, correlate, and analyze security events more effectively, improving threat detection and compliance. This integration expands the WatchGuard Cloud notification framework and adds syslog delivery as an alternative to email notifications for ThreatSync+ NDR.

For more information about ThreatSync+ NDR SIEM integration, go to these sections:

Licensing

To use SIEM integration with ThreatSync+ NDR, you must purchase and activate a ThreatSync+ NDR or Total NDR license. ThreatSync+ NDR and Total NDR are licensed for each user.

For more information about licensing, go to About ThreatSync+ NDR Licenses and About Total NDR Licenses.

Add a SIEM Integration

To add a SIEM integration, log in to your Subscriber account in WatchGuard Cloud and select Administration > System > Integrations.

Screenshot of the SIEM Integration page in WatchGuard Cloud

The SIEM Integration page shows these details:

  • Name — The name of the SIEM integration.
  • Delivery — The ThreatSync+ NDR Collection Agent that sends notifications to the SIEM server.
  • Last Update — The time and date the SIEM integration was last updated.
  • Status — The status of the SIEM integration. The status can be Connected or Disconnected.

For more information, go to Configure a ThreatSync+ NDR SIEM Integration.

Configure SIEM Alerts and Notification Rules

To configure SIEM alerts and notification rules, you specify which alerts generate a notification when they are created or updated.

From the SIEM Alerts tab on the Configure > ThreatSync+ > Alerts page, select which alerts you want included in your notifications.

Screenshot of the SIEM Alerts tab on the Alerts page in Configure > ThreatSync+ > SIEM Alerts

To configure SIEM notifications, enable SIEM on the Administration > Notifications page and select which SIEM configuration to use for the notifications.

Because Total NDR includes ThreatSync+ SaaS, the SIEM delivery method is available for ThreatSync+ SaaS notifications in accounts with a Total NDR license.

Screenshot of the Delivery Method section on the Notifications page in WatchGuard Cloud, SIEM toggle enabled

For more information, go to Configure ThreatSync+ Alerts and Notification Rules.

Related Topics

Configure a ThreatSync+ NDR SIEM Integration

Configure ThreatSync+

Monitor ThreatSync+