How to integrate with SIEM (Security Information & Event Management) and PM (Project Management) systems

You can set up a SIEM/PM integration from the Integrations screen.

Introduction to the Integrations Screen

Integrations menu allows you to set up an integration with external Security Information and Event Management (SIEM) and Project Management (PM) software such as HP ArcSight, Splunk, IBM QRadar, LogRhythm, Jira, Redmine, Zendesk etc. You can then send user details and event triggers from Teramind to the integrated software.

i
Teramind exports event information with Syslog using the Common Event Format (CEF). Any SIEM should be able to consume that.
image-261.png

The main Integrations screen shows you a list of current integrations. From here you can also create a new integration, change the settings of an integration or remove an integration when no longer needed.

i
We have provided instructions for two SIEM integrations: Splunk and HP ArcSight. We have also provided instructions for two PM integrations: Zendesk and JIRA. This should help you understand how the integration works and enable you to integrate with other solutions. If you still need help, please contact support@teramind.co.

Accessing the Integrations Menu

image-262.png
  1. Click the Gear icon near the top-right corner of the Teramind Dashboard.
  2. Click Integrations underneath the pop-up menu.

Setting Up a New SIEM Integration with Splunk

image-263.png

  1. Click the Gear image-206__1_.png icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:

mceclip0__28_.png

  1. Select SIEMs from the list of product types.
  2. Choose Splunk or Splunk CIM from the list of products.
i
You can set up a Splunk integration either using the standard interface or through the CIM (Common Information Model). The CIM helps you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. Both processes are similar to set up.
  1. Click the NEXT STEP button to continue to Step 2:

mceclip1__20_.png

  1. Select a Transport protocol, for example TCP.
  2. Provide a HOSTNAME and PORT where the SIEM product is located at.
  3. Click the NEXT STEP button to continue to Step 3:

mceclip2__9_.png

i
WEBSITE AUDIT event sends the System Logs to the SIEM.
  1. Click the YES/NO slider button to turn an event on/off. Events which are selected will be sent to the SIEM. By default, all events will be sent.
  2. Optionally, you can specify the maximum field value length. Default is, 0 (unlimited).
  3. Optionally, click on a Database mceclip4__7_.pngicon for an event to configure its data mapping. A Data mapping window will pop-up:

mceclip4__8_.png

  1. Map what SIEM field will be used for the corresponding Teramind field. You can use the checkbox in front of a field to turn it on/off.
  2. When data mapping is done, click the SAVE button to close the Data mapping window and return to the Step 3 window.
  3. Click the LAUNCH INTEGRATION to save and launch the integration. Next, you will need to configure Splunk to accept the data sent to it from Teramind:

mceclip5__6_.png

  1. Login to your Splunk account dashboard as an administrator.

mceclip6__4_.png

  1. From the menu on top, select Settings > Source types.

mceclip7__4_.png

  1. Click the New Source Type button near the top-right corner. A pop-up window will open:

mceclip8__2_.png

  1. Give the source a Name. You can configure other options for the Source from this window. For this exercise, we just need the Name parameter.
  2. Click the Save button when you are done with setting up the Source.

mceclip9__2_.png

  1. From the menu on top, select Settings > Data inputs.

mceclip2__10_.png

  1. From the list of local inputs, click the + Add new link next to the TCP row. You will be taken to the Add Data wizard screen:

mceclip11__1_.png

  1. On the first step, Select Source, enter the Port number you chose in Step 6 before. You can optionally set other parameters such as override source name, restrict connection to a specific host etc. For this exercise, we only need the Port parameter.
  2. Click the Next > button to go to the next step.

mceclip12__2_.png

  1. On the second step, Input Settings, click on the Select Source Type drop-down box and select the Source you created in Step 16 before (e.g. my_sourse). You can optionally set other parameters such as app context, method, index etc. For this exercise, we only need the Source Type parameter.
  2. Click the Next > button to go to the next step.

mceclip13__2_.png

  1. On the third step, Review, review the configuration. Click the Submit > button to finish setting up the data input and go to next step.

mceclip14__3_.png

  1. On the final step, Done, click the Start Searching button to view the data coming from your Teramind integration:

mceclip15__3_.png

  1. To find the data easily, you can optionally specify parameters such as source and sourcetype in the Search field.
  2. Optionally, you can specify the interval (e.g. 5 minute window) located right next to the search field.

Setting Up a New SIEM Integration with HP ArcSight

image-263__1_.png
  1. Click the Gear image-206__1_.png icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:
image-266.png
  1. Select SIEMs from the list of product types.
  2. Choose a SIEM product from the list of products. For example, HP ArcSight.
  3. Click the NEXT STEP button to continue to Step 2.
image-267.png
  1. Select the Transport protocol (UDP or TCP).
  2. Provide a Hostname and Port where the SIEM product is located at.
  3. Click the NEXT STEP button to continue to Step 3.
image-268.png
i
WEBSITE AUDIT event sends the System Logs to the SIEM.
  1. Click the YES/NO slider button to turn an event on/off. Events which are selected will be sent to the SIEM.
  2. Click on a Database mceclip4__7_.pngicon to configure its data mapping. A Data mapping window will pop-up.
mceclip3.png
  1. Map what SIEM field will be used for the corresponding Teramind field. You can use the checkbox in front of a field to turn it on/off.
  2. When data mapping is done, click the SAVE button to close the Data mapping window and return to the Step 3 window.
  3. Click the LAUNCH INTEGRATION on the Step 3 window to save and launch the integration.

Setting Up a New SIEM Integration Using the Generic CEF Option

When creating a new SIEM integration, you will notice that there is a Generic CEF option on the SIEMs product list. CEF (Common Event Format) is a text-based, open messaging standard and log format developed by ArcSight™ and used by HP ArcSight™ products.

If you use this option, Teramind will output data over the Syslog protocol using CEF data format. This will help you integrate with various SIEM tools for which Teramind does not have a built-in option.

The integration process is very similar to HP ArcSight. See the Setting Up a New SIEM Integration with HP ArcSight for step-by-step instructions.

Setting Up a New PM Integration with Zendesk

image-270.png
  1. Click the Gear image-206__1_.png icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:
image-271.png
  1. Select Project management from the list of product types.
  2. Choose Zendesk from the list of products.
  3. Click the NEXT STEP button to continue. You will be taken to the Step 2 of 3 screen. 
image-272.png

Before you continue with to Step 2, you need to create an OAuth Client in Zendesk. To do so:

image-273.png
  1. Access your Zendesk domain, go to Admin section.
  2. Click API under the Channels section.
  3. Click the OAuth Clients tab.
  4. Click the + button to add a client.
image-274.png
  1. Use the information from the Teramind’s integration wizard (Step 2 of 3 screen) to complete the form. You’ll need to fill up the Client Name, Company, Unique Identifier and Redirect URLs fields with the data provided by Teramind’s Step 2 of 3 screen.
  2. Copy the data displayed on the Secret field. Go back to the Zendesk Step 2 of 3 screen on Teramind.
image-275.png
  1. Paste the Secret key you copied from Zendesk on the CLIENT SECRET field.
  2. Click I HAVE CREATED THE CLIENT IN ZENDESK, CONTINUE. A pop-up window will open:
image-276.png
  1. Click the Allow button. Go back to the Teramind integration wizard.
image-277.png
  1. On the Teramind integration wizard (Zendesk: Step 2 of 3 screen), click the NEXT STEP. You will be taken to the Step 3 of 3 screen.
image-278.png
  1. Give your project a name.
  2. Add the task statuses to work on.
  3. Click the MAP USERS ASSIGNMENT button. You will be taken the user mapping screen.
image-279.png
  1. Map the employees and supervisors. Enter the Zendesk’s usernames on the INTEGRABLE USERNAME field and then select the corresponding Teramind username from the TERAMIND USERNAME pull-down menu.
  2. Click the SAVE button when done. You will be taken back to the Step 3 of 3 screen.
image-280.png
  1. Click the LAUNCH INTEGRATION button on the Step 3 of 3 screen to save and launch your integration.

Setting Up a New PM Integration with Jira

image-270__1_.png
  1. Click the Gear image-206__1_.png icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:
mceclip0__29_.png
  1. Select Project management from the list of product types.
  2. Choose Jira from the list of products.
  3. Click the NEXT STEP button to continue. You will be taken to the Step 2 of 3 screen:
mceclip1__21_.png
  1. Note the instance / URL of your deployment (for example, https://arickteramin2.teramind.co). You will need it in Step 10.
  2. Scroll down a little, note the CONSUMER KEY, CONSUMER NAME and the PUBLIC KEY values. You will need these three values in the Step 17 below. Keep this window open.
mceclip2__11_.png
  1. Log in to you Jira dashboard. Click the Settings icon near the top-right corner.
  2. Select Products from the drop-down menu. You will be taken to a new window:
mceclip3__9_.png
  1. Click the Application links from the left panel.
  2. Enter the instance / URL of your deployment you copied from Step 5 above.
  3. Click the Create new link button. You might see a pop-up window like the one below:
mceclip4__9_.png
  1. Just click the Continue button. You will see another pop-up window, Link applications:
mceclip5__7_.png
  1. Enter an Application Name, for example, Teramind.
  2. Click the Continue button. Jira will process the configurations and after a while, you will see the Applications window and your application on the list:
mceclip6__5_.png
  1. Click the small Pencil icon next to your application. A configure window will pop-up:
mceclip7__5_.png
  1. Click the Incoming Authentication tab on the left panel.
  2. Enter the Consumer Key, Consumer Name and the Public Key values you copied in Step 6 above.
  3. Scroll down and click the Save button to save you configurations. You will see a confirmation that your application is registered:
mceclip8__3_.png
  1. Click the Close button to close the window and return to the Applications page.
mceclip9__3_.png
  1. Copy the domain address / URL of your Jira deployment (for example, https://teramind-test.atlassian.net). You will need it in the next step, on the Teramind Dashboard:
mceclip10__2_.png
  1. Go back to your Teramind Dashboard. Enter the domain address / URL of your Jira deployment you copied in the previous step into the JIRA BASE URL field.
  2. Click the I ADDED APPLICATION LINK TO JIRA, CONTINUE button. A Welcome to JIRA window will pop-up:
mceclip11__2_.png
  1. Click the Allow button to authenticate your application. The window will close and you will be back on the JIRA: Step 2 of 3 screen:
mceclip4.png
  1. Wait a few seconds and then you will see an Auth success message.
  2. Click the NEXT STEP button to continue to JIRA: Step 3 of 3 screen:
mceclip13__3_.png
  1. Select your PROJECTS, ALLOWED TASK STATUSES and TEST STATUSES from the corresponding fields.
  2. Click the USERS ASSIGNMENT button to set up user mappings:
mceclip14__4_.png
  1. You can map EMPLOYEES and TESTERS. Assign INTEGRABLE USERNAME with TERAMIND USERNAME, assign roles etc.
  2. Click the SAVE button when you are done with the user mapping. You will be taken back to the to JIRA: Step 3 of 3 screen:
mceclip15__4_.png
  1. Click the LAUNCH INTEGRATION button to save your integration and return to the External Integration screen where you will see your Jira integration:
mceclip18__2_.png
  1. You should now be able see and import your Jira projects and tasks from the TIME TRACKING > TASKS menu:
mceclip19__2_.png

Editing / Deleting an Integration

image-281.png

From the main Integration screen, under the ACTIONS column:

  1. Click the Settings icon to change the connection settings for a SIEM integration.
  2. Click the Database icon to change the events mapping for a SIEM integration.
  3. Click the Trash Can icon to delete/remove an integration.
  4. Click the Pad Lock icon to edit the app link/authorization settings for a PM integration.
  5. Click the Refresh icon to change the project name, task statuses and user mapping for a PM integration.
Was this article helpful?
0 out of 1 found this helpful