All Collections
Troubleshooting and How-To
How-To Articles
How to integrate with the SIEM (Security Information & Event Management) and PM (Project Management) systems
How to integrate with the SIEM (Security Information & Event Management) and PM (Project Management) systems
A
Written by Arick Disilva
Updated over a week ago

You can set up a SIEM/PM integration from the Integrations screen.

Introduction to the Integrations Screen

The Integrations menu allows you to set up an integration with external Security Information and Event Management (SIEM) and Project Management (PM) software. You can then send user details and event triggers from Teramind to the integrated software.

image-261.png

The main Integrations screen shows you a list of current integrations. From here you can also create a new integration, change the settings of an integration or remove an integration when no longer needed.

Currently, the following built-in integration options are available:

SIEM:

  • Generic CEF Generic JSON

  • HP ArcSight

  • Splunk

  • Splunk CIM

  • IBM QRadar

  • McAfee

Project Management:

  • Jira

  • Redmine

  • Zendesk

API calls and/or custom integrations may be used to connect with platforms not listed here. Please contact [email protected] if you require such an integration.

Teramind exports event information with Syslog using the Common Event Format (CEF). Any SIEM should be able to consume that.

In the article, we have provided instructions for two SIEM integrations: Splunk and HP ArcSight. We have also provided instructions for two PM integrations: Zendesk and JIRA. This should help you understand how the integration works and enable you to integrate with other solutions. If you still need help, please contact [email protected].

Accessing the Integrations Menu

image-262.png

1. Click the Gear icon near the top-right corner of the Teramind Dashboard.

2. Click Integrations underneath the pop-up menu.

Setting Up a New SIEM Integration with Splunk

image-263.png

1. Click the Gear icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:

mceclip0__28_.png

2. Select SIEMs from the list of product types.

3. Choose Splunk or Splunk CIM from the list of products.

You can set up a Splunk integration either using the standard interface or through the CIM (Common Information Model). The CIM helps you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. Both processes are similar to set up.

4. Click the NEXT STEP button to continue to Step 2:

mceclip1__20_.png

5. Select a Transport protocol, for example TCP.

6. Provide a HOSTNAME and PORT where the SIEM product is located at.

7. Click the NEXT STEP button to continue to Step 3:

mceclip2__9_.png

WEBSITE AUDIT event sends the System Logs to the SIEM.

8. Click the YES/NO slider button to turn an event on/off. Events which are selected will be sent to the SIEM. By default, all events will be sent.

9. Optionally, you can specify the maximum field value length. The default value is 0 (unlimited).

10. Optionally, click on a Database icon for an event to configure its data mapping. A Data mapping window will pop-up:

mceclip4__8_.png

11. Map what SIEM field will be used for the corresponding Teramind field. You can use the checkbox in front of a field to turn it on/off.

12. When data mapping is done, click the SAVE button to close the Data mapping window and return to the Step 3 window.

13. Click the LAUNCH INTEGRATION to save and launch the integration. Next, you will need to configure Splunk to accept the data sent to it from Teramind:

mceclip5__6_.png

14. Login to your Splunk account dashboard as an administrator.

mceclip6__4_.png

15. From the menu on top, select Settings > Source types.

mceclip7__4_.png

16. Click the New Source Type button near the top-right corner. A pop-up window will open:

17. Give the source a Name. You can configure other options for the Source from this window. For this exercise, we just need the Name parameter.

18. Click the Save button when you are done with setting up the Source.

mceclip9__2_.png

19. From the menu on top, select Settings > Data inputs.

mceclip2__10_.png

20. From the list of local inputs, click the + Add new link next to the TCP row. You will be taken to the Add Data wizard screen:

mceclip11__1_.png

21. On the first step, Select Source, enter the Port number you chose in Step 6 before. You can optionally set other parameters such as override source name, restrict connection to a specific host, etc. For this exercise, we only need the Port parameter.

22. Click the Next > button to go to the next step.

mceclip12__2_.png

23. On the second step, Input Settings, click on the Select Source Type drop-down box and select the Source you created in Step 16 before (e.g., my_source). You can optionally set other parameters such as app context, method, index etc. For this exercise, we only need the Source Type parameter.

24. Click the Next > button to go to the next step.

mceclip13__2_.png

25. On the third step, Review, review the configuration. Click the Submit > button to finish setting up the data input and go to next step.

mceclip14__3_.png

26. On the final step, Done, click the Start Searching button to view the data coming from your Teramind integration:

mceclip15__3_.png

27. To find the data easily, you can optionally specify parameters such as source and sourcetype in the Search field.

28. Optionally, you can specify the interval (e.g. 5 minute window) located right next to the search field.

Setting Up a New SIEM Integration with HP ArcSight

image-263__1_.png

1. Click the Gear icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:

image-266.png

2. Select SIEMs from the list of product types.

3. Choose a SIEM product from the list of products. For example, HP ArcSight.

4. Click the NEXT STEP button to continue to Step 2.

image-267.png

5. Select the Transport protocol (UDP or TCP).

6. Provide a Hostname and Port where the SIEM product is located at.

7. Click the NEXT STEP button to continue to Step 3.

image-268.png

WEBSITE AUDIT event sends the System Logs to the SIEM.

8. Click the YES/NO slider button to turn an event on/off. Events which are selected will be sent to the SIEM.

9. Click on a Database icon to configure its data mapping. A Data mapping window will pop-up.

mceclip3.png

10. Map what SIEM field will be used for the corresponding Teramind field. You can use the checkbox in front of a field to turn it on/off.

11. When data mapping is done, click the SAVE button to close the Data mapping window and return to the Step 3 window.

12. Click the LAUNCH INTEGRATION on the Step 3 window to save and launch the integration.

Setting Up a New SIEM Integration Using the Generic CEF Option

When creating a new SIEM integration, you will notice that there is a Generic CEF option on the SIEMs product list. CEF (Common Event Format) is a text-based, open messaging standard and log format developed by ArcSight™ and used by HP ArcSight™ products.

If you use this option, Teramind will output data over the Syslog protocol using CEF data format. This will help you integrate with various SIEM tools for which Teramind does not have a built-in option.

The integration process is very similar to HP ArcSight. See the Setting Up a New SIEM Integration with HP ArcSight for step-by-step instructions.

Setting Up a New PM Integration with Zendesk

image-270.png

1. Click the Gear icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:

image-271.png

2. Select Project management from the list of product types.

3. Choose Zendesk from the list of products.

4. Click the NEXT STEP button to continue. You will be taken to the Step 2 of 3 screen.

image-272.png

Before you continue to the next step, you will need to create an OAuth Client in Zendesk. To do so:

image-273.png

5. Access your Zendesk domain, go to Admin section.

6. Click API under the Channels section.

7. Click the OAuth Clients tab.

8. Click the + button to add a client.

image-274.png

9. Use the information from the Teramind’s integration wizard (Step 2 of 3 screen) to complete the form. You’ll need to fill up the Client Name, Company, Unique Identifier and Redirect URLs fields with the data provided by Teramind’s Step 2 of 3 screen.

10. Copy the data displayed on the Secret field. Go back to the Zendesk Step 2 of 3 screen on Teramind.

image-275.png

11. Paste the Secret key you copied from Zendesk on the CLIENT SECRET field.

12. Click I HAVE CREATED THE CLIENT IN ZENDESK, CONTINUE. A pop-up window will open:

image-276.png

13. Click the Allow button. Go back to the Teramind integration wizard.

image-277.png

14. On the Teramind integration wizard (Zendesk: Step 2 of 3 screen), click the NEXT STEP. You will be taken to the Step 3 of 3 screen.

image-278.png

15. Give your project a name.

16. Add the task statuses to work on.

17. Click the MAP USERS ASSIGNMENT button. You will be taken to the user mapping screen.

image-279.png

18. Map the employees and supervisors. Enter the Zendesk usernames in the INTEGRABLE USERNAME field and then select the corresponding Teramind username from the TERAMIND USERNAME pull-down menu.

19. Click the SAVE button when done. You will be taken back to the Step 3 of 3 screen.

image-280.png

20. Click the LAUNCH INTEGRATION button on the Step 3 of 3 screen to save and launch your integration.

Setting Up a New PM Integration with Jira

image-270__1_.png

1. Click the Gear icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:

mceclip0__29_.png

2. Select Project management from the list of product types.

3. Choose Jira from the list of products.

4. Click the NEXT STEP button to continue. You will be taken to the Step 2 of 3 screen:

mceclip1__21_.png

5. Note the instance / URL of your deployment (for example, https://arickteramin2.teramind.co). You will need it in Step 10.

6. Scroll down a little, note the CONSUMER KEY, CONSUMER NAME and the PUBLIC KEY values. You will need these three values in the Step 17 below. Keep this window open.

mceclip2__11_.png

7. Log into your Jira dashboard. Click the Settings icon near the top-right corner.

8. Select Products from the drop-down menu. You will be taken to a new window:

mceclip3__9_.png

9. Click the Application links from the left panel.

10. Enter the instance / URL of your deployment you copied from Step 5 above.

11. Click the Create new link button. You might see a pop-up window like the one below:

mceclip4__9_.png

12. Just click the Continue button. You will see another pop-up window, Link applications:

mceclip5__7_.png

13. Enter an Application Name, for example, Teramind.

14. Click the Continue button. Jira will process the configurations and after a while, you will see the Applications window and your application on the list:

mceclip6__5_.png

15. Click the small Pencil icon next to your application. A configure window will pop-up:

mceclip7__5_.png

16. Click the Incoming Authentication tab on the left panel.

17. Enter the Consumer Key, Consumer Name, and the Public Key values you copied in Step 6 above.

18. Scroll down and click the Save button to save your configurations. You will see a confirmation that your application is registered:

mceclip8__3_.png

19. Click the Close button to close the window and return to the Applications page.

mceclip9__3_.png

20. Copy the domain address / URL of your Jira deployment (for example, https://teramind-test.atlassian.net). You will need it in the next step, on the Teramind Dashboard:

mceclip10__2_.png

21. Go back to your Teramind Dashboard. Enter the domain address / URL of your Jira deployment you copied in the previous step into the JIRA BASE URL field.

22. Click the I ADDED APPLICATION LINK TO JIRA, CONTINUE button. A Welcome to JIRA window will pop-up:

mceclip11__2_.png

23. Click the Allow button to authenticate your application. The window will close and you will be back on the JIRA: Step 2 of 3 screen:

mceclip4.png

24. Wait a few seconds and then you will see an Auth success message.

25. Click the NEXT STEP button to continue to JIRA: Step 3 of 3 screen:

mceclip13__3_.png

26. Select your PROJECTS, ALLOWED TASK STATUSES, and TEST STATUSES from the corresponding fields.

27. Click the USERS ASSIGNMENT button to set up user mappings:

mceclip14__4_.png

28. You can map EMPLOYEES and TESTERS. Assign INTEGRABLE USERNAME with TERAMIND USERNAME, assign roles, etc.

29. Click the SAVE button when you are done with the user mapping. You will be taken back to the to JIRA: Step 3 of 3 screen:

mceclip15__4_.png

30. Click the LAUNCH INTEGRATION button to save your integration and return to the External Integration screen where you will see your Jira integration:

mceclip18__2_.png

31. You should now be able see and import your Jira projects and tasks from the TIME TRACKING > TASKS menu:

mceclip19__2_.png

Editing / Deleting an Integration

image-281.png

From the main Integration screen, under the ACTIONS column:

1. Click the Settings icon to change the connection settings for a SIEM integration.

2. Click the Database icon to change the events mapping for a SIEM integration.

3. Click the Trash Can icon to delete/remove an integration.

4. Click the Pad Lock icon to edit the app link/authorization settings for a PM integration.

5. Click the Refresh icon to change the project name, task statuses and user mapping for a PM integration.

Related Articles
On-Premise Deployment Guide
AWS Deployment Guide
How to configure the macOS permission settings
Integrations
Guided Tour
Did this answer your question?