LogoLogo
Get Demo
  • 💫NEXT-GENERATION PRODUCT
    • Introduction
    • Getting Started
      • 1. Invite System Users
      • 2. Add Target Users
        • Add Users via CSV
        • Add users via SCIM
          • SCIM Setup in Azure AD
          • SCIM Setup in Okta
          • SCIM Setup in Onelogin
          • SCIM Setup in Jumpcloud
        • Add users via LDAP
        • Add Users via API
      • 3. Email Deliverability
        • Microsoft 365
          • M365: Direct Email Creation
          • M365: Whitelisting
        • Google Workspace
          • Google: Direct Email Creation
          • Google: Whitelisting
        • Exchange 2013 and 2016
      • 4. Track Opened Emails
      • 5. Allow Phishing URLs
        • Whitelist for Office 365
        • Whitelist for Google Workspace
        • Whitelist for Exchange 2013/2016
        • Whitelist in Security Solutions
      • 6. Setup Phishing Reporter
        • Step 1. Download Phishing Reporter
        • Step 2. Deploy Phishing Reporter
          • How to Deploy Add-In in Microsoft 365
          • How to Deploy Add-In in Exchange Admin Center
          • How to Deploy Add-In in Google Workspace
          • How to Deploy Add-In in Outlook
            • Troubleshooting Phishing Reporter Add-In on Outlook Desktop
      • 7. Incident Responder Setup
        • Step 1. Integrate Threat Intel Partners
        • Step 2. Mail Configurations
          • Microsoft 365
          • Google Workspace (Gsuite)
          • Exchange (EWS)
    • Platform
      • Dashboard
        • Dashboard Widgets
        • Incident Responder Widgets
        • Threat Sharing Widgets
        • Phishing Simulator Widgets
      • Threat Intelligence
      • Email Threat Simulator
        • Start Scan
        • View Scan Report
        • Create Trusted Account on Exchange
        • Start Scan on O365 Email Account
        • Start Scan on Google Workspace Email Account
      • Threat Sharing
        • Communities
        • Incidents
      • Phishing Simulator
        • Manage Phishing Scenarios
          • Phishing Scenarios
          • Email Templates
          • Landing Pages
        • Phishing Campaign Manager
        • Phishing Campaign Reports
        • Settings
          • DNS Services and Domains
          • Exclude IP Address
      • Callback Simulator
        • Manage Callback Scenarios
          • Callback Scenarios
          • Callback Email Templates
          • Callback Templates
        • Callback Campaign Manager
        • Callback Campaign Reports
        • Settings
          • Callback Phone Numbers
      • Vishing Simulator
        • Vishing Templates
        • Vishing Campaign Manager
        • Vishing Campaign Reports
      • Smishing Simulator
        • Manage Smishing Scenarios
          • Smishing Scenarios
          • Text Message Templates
          • Landing Page Templates
        • Smishing Campaign Manager
        • Smishing Campaign Reports
        • Settings
          • Manage DNS and Domains
          • Exclude IP Addresses
      • Quishing Simulator
        • Manage Quishing Scenarios
          • Quishing Scenarios
          • Quishing Templates
          • Quishing Landing Page Templates
        • Quishing Campaign Manager
        • Quishing Campaign Reports
        • Settings
          • DNS and Domains
          • Excluding IP Address
      • Awareness Educator
        • Training Library
        • Enrollments
        • Certificates
        • Training Reports
        • Training Completion Queries
      • Incident Responder
        • Incident Responder Dashboard
        • Investigations
        • Integrations
        • Playbook
        • Mail Configurations
          • Microsoft 365
          • Exchange
          • Google Workspace
        • Cross Company Integration
      • Phishing Reporter
        • Phishing Reporter Customization
        • Phishing Reporter Deployment
          • How to Deploy the Add-in in Microsoft 365
          • Phishing Reporter Page View Failure Due to Deprecated Exchange Online Tokens
          • Microsoft Ribbon Phishing Reporter
          • How to Deploy the Add-in in Exchange Admin Center
          • How to Deploy the Add-in in Google Workspace
          • Phishing Reporter Announcement Email Template
        • Diagnostic Tool
        • Integrating Microsoft Phishing Reporting Button with Keepnet
        • Troubleshooting Phishing Reporter on Outlook Desktop
      • Reports
        • Advanced Reports
        • Executive Reports
        • Scheduled Reports
        • Gamification Report
      • Company
        • Target Users
        • Companies
          • Company Groups
        • Company Settings
          • Privacy
            • Account Privacy
            • Data Privacy
          • AI Ally Settings
          • SMTP Settings
          • Direct Email Creation
            • Direct Email Creation for Google Workspace
            • Direct Email Creation for Microsoft 365
          • Notification Templates
          • Google User Provisioning
          • REST API
          • White Labeling
          • Proxy Settings
          • SAML Settings
            • How to Configure SAML on ADFS
            • How to Configure SAML on Google Workspace
            • How to Configure SAML on Azure AD
            • How to Configure SAML on CyberArk
            • How to Configure SAML on Okta
          • SCIM Settings
            • Getting Started with SCIM
            • Azure AD SCIM Integration
            • Okta SCIM Integration
            • Onelogin SCIM Integration
            • Jumpcloud SCIM Integration
          • SIEM Integrations
            • Splunk Integration
            • Syslog Integration
          • LDAP
          • Allowed Domains
        • System Users
          • People
          • Roles
        • Audit Log
        • Job Log
      • Free Phishing Email Analysis Service
    • Miscellaneous
      • Whitelisting
        • How to Whitelist an IP Address in Office 365
        • How to Whitelist an IP Address in Exchange 2013 and 2016
        • How to Whitelist an IP Address in Google Workspace
        • How to Whitelist in Mimecast
        • Whitelisting in Other Security Solutions
        • Whitelisting the Pictures on Microsoft Outlook Apps
        • Keepnet Tools Whitelisting Guidelines
        • Understanding Email Delivery Errors
        • Tracking Email Opens in Phishing Simulations
      • User Profile
      • Multi-Factor Authentication (MFA) Settings
      • On-Premise Requirement Checker
      • Platform Requirements
        • Portal UI Requirements
        • Phishing Reporter Requirements
        • Diagnostic Tool Requirements
      • Maintenance Tool
      • Understanding the Preferred Language Setting
  • 📚RESOURCES
    • Platform Security
    • Volume & Performance
    • Customer Help Desk
    • Product Update/Maintenance
    • Research Methodology
    • Release Notes
      • 2025
      • 2024
      • 2023
      • 2022
      • 2021
      • 2020
  • ⚖️Legal Hub
    • For Customers
      • Customer Terms of Service
      • Product Specific Terms
      • Jurisdiction Specific Terms
      • Data Processing Agreement
      • Regional Data Hosting Policy
      • Product and Services Catalog
      • Acceptable Use Policy
      • Keepnet Security Program
      • Microsoft CoPilot Usage Policy
    • For Everyone
      • Website
        • Terms of Use
        • Privacy Policy
        • Cookie Policy
      • Free Phishing Email Analysis
        • Terms of Service
        • Privacy Policy
      • Transparency Report
Powered by GitBook

Copyright © Keepnet Labs LTD. All rights reserved.

On this page
  • Integration Steps
  • CEF Format Details
  • CEF Format Fields Description
  • Explanation of CEF Extension Fields
  • Control Phase

Was this helpful?

Export as PDF
  1. NEXT-GENERATION PRODUCT
  2. Platform
  3. Company
  4. Company Settings
  5. SIEM Integrations

Syslog Integration

This document will provide the details of Syslog integration to send Audit Logs data from the platform to the Syslog server for log/alert management. The Syslog CEF format allows you to send data and application events to a Syslog server over UDP and TCP protocols.

The steps and guidance provided below will ensure a successful integration.

Integration Steps

From the left menu go to Company Settings > SIEM Integrations and click the + NEW button and provide the information requested.

Integration Name

Enter a SIEM configuration name

History Logs

Select this option to ensure that all data in the audit log will be transferred to your SIEM solution

If this feature is inactive, only the audit log data recorded after defining the SIEM integration will be transferred to your SIEM solution

Integration Type

Select the integration type as Syslog

URL

Enter the server address of your Syslog application

Test Connection

Test the connection to be sure it works correctly

If you selected UDP as protocol, you need to confirm the connection test by viewing the test log on your Syslog solution.

CEF Format Details

The Common Event Format (CEF) standard format, developed by ArcSight, enables vendors and their customers to quickly integrate their product information into ArcSight ESM.

The following example illustrates a general CEF message using syslog transport:

Base CEF Format: CEF:Version|Platform Name|ModuleName|ProductVersion|Operation|OperationType|Severity|EventId

Sample CEF Log Entry: CEF:0|Keepnet Labs|Incident Responder|1.0|Update|Update|Low| eventId=4722914

CEF Format Fields Description

This section provides detailed information about how the CEF fields have been mapped from the platform event fields in the sample log described above.

CEF Extension Field
Name
Description

src

Source IP Address

Platform IP Address

cs1

EntityName

Shows affected asset names in the platform

cs2

OldValue

Shows data before change happens

cs3

NewValue

Show data after the change happens

cs1Label

EntityName

Shows the label name of cs1

cs2Label

Old Value

Shows the label name of cs2

cs3Label

New Value

Shows the label name of cs3

Explanation of CEF Extension Fields

The example of the data contained in the fields specified in the above table is listed below.

  • Field src

    • src=10.20.12.85

  • Field cs1

    • SystemUser

  • Field cs2

    • {"PropertyName":"Email","OldValue":"test@domain.com","NewValue":"test2@domain.com"},{"PropertyName":"FirstName","OldValue":"Andrei","NewValue":"Andrei"},{"PropertyName":"LastName","OldValue":"Kruchev","NewValue":"Kruchev"},{"PropertyName":"NormalizedEmail","OldValue":"test@domain.com","NewValue":"test@domain.com"},{"PropertyName":"NormalizedUserName","OldValue":"test@domain.com","NewValue":"test@domain.com"},{"PropertyName":"PhoneNumber","OldValue":"","NewValue":""},{"PropertyName":"UserName","OldValue":"","NewValue":""}]

  • Field cs3

    • {"ResourceId":"lveGT1ZwCkmn","FirstName":"Andrei","LastName":"Kruchev","CompanyId":1,"CreateTime":"2022-01-29T13:31:23.959869","UpdateTime":"2022-01-29T13:40:45.2323091Z","DeleteTime":null,"CreatedBy":1,"UpdatedBy":0,"DeletedBy":null,"IsDeleted":false,"StatusId":1,"TypeId":1,"Id":1945,"UserName":"test@domain.com","NormalizedUserName":"test@domain.com","Email":"test@domain.com","NormalizedEmail":"test@domain.com","EmailConfirmed":true,"PasswordHash":"","SecurityStamp":"","ConcurrencyStamp":"*****","PhoneNumber":"","PhoneNumberConfirmed":false,"TwoFactorEnabled":false,"LockoutEnd":null,"LockoutEnabled":false,"AccessFailedCount":0}

Control Phase

In order to make sure that the integration works and logs are being transferred from the platform to the Syslog solution properly, a test is advised.

  • After performing the integration, click the Start Searching button on the Syslog administration panel or use the grep function on Linux distributions.

  • When you click the Test Connection button on the platform, you can see this request or other platform logs in the Search field on the Syslog administration panel.

  • Filter logs with the parameter Device Vendor = Keepnet Labs to find the test connection log easily.

PreviousSplunk IntegrationNextLDAP

Last updated 2 years ago

Was this helpful?

💫