Configure NSX Network Detection and Response to send the event logs for campaigns and detections to your SIEM (Security Information & Event Management) server.

Procedure

  1. Navigate to Threat Detection & Response > Settings and then click the SIEM Configuration tab.
  2. Click Add Configuration.
  3. Configure the SIEM settings:
    Setting Description
    Name Enter a unique name for the SIEM configuration.
    Endpoint Type Choose the endpoint for NSX Network Detection and Response to send the event logs to:
    • Splunk: The endpoint is a Splunk server (either on-premises or cloud hosted).
    • VMware Aria Operations for Logs: The endpoint is a VMware Aria Operations for Logs server.

      For details, see the VMware Aria Operations for Logs documentation.

    • Default: Configure a custom endpoint with custom headers.
    Endpoint URL

    Enter the URL of the SIEM where it receives logs formatted as JSON documents.

    For more details, see the endpoint URL(s) for Splunk Cloud documentation at: https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector_on_Splunk_Cloud_Platform.

    The endpoint URL for Splunk Enterprise documentation at: https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector_on_Splunk_Enterprise.

    Activation Status

    Use this toggle to activate or deactivate the SIEM integration.

    Deactivating this setting stops NSX Network Detection and Response from sending event log data to the SIEM.

    SSL Verification Use this toggle to activate or deactivate SSL verification for event logs that are sent over HTTPS.

    We recommend not to deactivate SSL verification in a production environment, as this can expose your SIEM notifications to potential security risks, such as man-in-the-middle attacks, where attackers can intercept and modify the notifications.

    Add Header

    To add an HTTP header for the event logs that are sent to the SIEM, click Add Header and enter the necessary values:

    • Header Name: Enter the header name.
    • Header Value: Enter the string to be sent in the HTTP request to the SIEM. An example is the secret key used for Splunk's token-based authentication.

    For Splunk, ensure that the header contains the HTTP Event Collector (HEC) token in the format:

    Authorization: Splunk <hec token>

    For more details about sending logs to Splunk, see Splunk: Format events for HTTP Event Collector.

    For VMware Aria Operations for Logs, ensure that the header contains the following:

    • Content-Type: application/json
    • The authentication bearer token in the format:

      Authorization: Bearer <bearer token>
    Caution: After saving the SIEM configuration, the header value is hidden and cannot be revealed. For future edits to the header, you will need to know the header value. So, it is important to retain or have access to that information.
    Description Optionally, add a description for the SIEM configuration.
  4. Click Save.

Results

NSX Network Detection and Response is connected to the specified SIEM and will send it the campaign and event logs as they occur.