Configure ISI to receive SIEM events

This topic describes how to configure ISI to receive logon events from the SIEM system.

To receive alerts for a detected event, you must configure the SIEM system to forward syslogs of logon events to ISI.

ISI requires mutual authentication and TLS-secured communication for incoming logon events.

Currently only the Splunk SIEM system is supported.

Configure the Splunk heavy forwarder in ISI

To establish a connection between ISI and the SIEM heavy forwarder, you must perform the following steps:

  • Download the Client Certificate file that also contains a private key.

  • Download the Certificate Authority (CA) file.

  • Configure the output data and the target address.

  1. From Privilege Cloud, click the Service picker, and select Identity Security Intelligence (ISI).

    A new browser tab opens and displays the ISI Explorer page.

  2. In the left pane, select Settings > Privileged Risks Configuration and click the Configure Forwarder Inbound Logon Events tab.

  3. In Section A, click the download buttons to download the Client Certificate file and the Certificate Authority (CA) file.

  4. In Section B, perform steps 1-5 to configure the Splunk heavy forwarder to send logon data to ISI.