Create Connections - SIEM
A connection creates a link between LogicHub and an external system such as a SIEM environment. Active connections allow you to bring data into LogicHub for playbook analysis or as the destination for playbook results.
To view or set up connections, you must be in a group that has connection permission. For more information, see Manage Users.
Create a Connection
- Select My Library > Connections.
- Click New. The Add Connection form opens up.
- Assign a name to identify the connection.
- Select the connection type.
You can connect to your SIEM (SumoLogic or Splunk or Devo or ElasticSearch), a file, or a directory.
- If you select a SIEM, you must enter the API connection credentials. For example, to connect to your Splunk environment, select Splunk for Type, and enter the username and secret to access the service.
- In the URL field, enter the domain to access the SIEM or file.
Splunk API Port
Splunk defaults to 8089 for their API connections. This too is our default when using Splunk. So, when you put https://your-splunk.your-company.com as URL, LogicHub connects to 8089. If you have changed the API port to a different port in your Splunk, add the port in the URL For example, some customers change from 8089 to 443, the standard port for HTTPS. In this case, you would specify https://your-splunk.your-company.com:443 in the URL field.
- Click Save.
The Connections page reopens that shows the list of connections. The Connection Status column indicates the status of the connection. The Active green icon indicates that the connection is active and the Error with red icon indicates that the connection isn't working.
Click an entry to edit the settings, or click the trash can icon to delete an entry.
Updated about 1 year ago