Configure SIEM

Aruba IDPS provides the option to send the threat event data to a third-party Security Incident and Event Management (SIEM Security Incident and Event Management (SIEM) is a server where Aruba IDPS sends the threat data to perform advanced analysis and generate reports. SIEM provides a holistic picture of the security posture by aggregating and correlating data from disparate sources in the network.) server such as Splunk, which allows you to perform advanced analysis and generate reports. SIEM provides a holistic picture of the security posture of your organization by aggregating and correlating data from disparate sources in the network. For information about how to set up HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. event collector in Splunk web, see https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector.

Aruba Central sends the threats data in the .gzip format to the Splunk server. It is sent in batches based on the count or time (500 threats or 30 seconds), whichever occurred first.

SIEM configuration is available only in the All Devices context. If configured, threat data from all 9004 Branch Gateways connected to Aruba Central are sent to the SIEM server.

Before you begin

Ensure that the following requirements are met before you configure SIEM server:

  1. You have an active subscription with a third-party SIEM provider such as Splunk.
  2. You have the server URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet., an index, and the authentication token handy to enter the details while configuring SIEM

To know how to configure Splunk and get the required details to configure SIEM, see the section Set up and use HTTP Event Collector in https://docs.splunk.com/Documentation/SplunkCloud.

The following sections explain how to manage the SIEM: