This article provides information about the permissions needed for TIE events that need to be sent from ePO to SIEM.
If TIE events are displayed in ePO but not in the SIEM user interface where other ePO data sources display events, you might need to edit the permission settings for
TIE Topics in ePO.
The following settings must be reconfigured in the following scenarios:
- If you've added TIE to ePO
- If you've recently changed permission settings in TIE
- If you've stopped receiving TIE events in SIEM
ePO has to allow TIE to communicate events to the SIEM on its own topic in the DXL Fabric. If you can see TIE events in the ePO console, but none of those events are being reported to SIEM, you need to configure the
Topic Permissions for TIE in ePO.
Steps to set TIE Topic Permissions in ePO:
- Log on to the ePO console using the admin account.
- Select Server Settings.
- Select DXL Topic Authorizations from the side bar.
- Locate the TIE Server Reputation Notification topic group.
- Verify that the Receive column has All Systems or a Tag that's specific to the SIEM Event Receiver (ERC).
- If these settings aren't displayed in the TIE Server Reputation Notification topic group, click Edit.
- Select the TIE Server Reputation Notification option.
- Use the Actions menu and select Restrict Receive Tags.
- Deselect everything to allow all systems to get notifications or use a Tag specific to the ERC.
- Select Server Tasks and run the Manage DXL Brokers task.
- Perform the Wake Up Agent task on the ERC from the ePO console.
- With an SSH session on the ERC, restart the Receiver services by running NitroStop and NitroStart. You can also try to restart just the collector service by running killall collectorsctl until the collectorsctl process closes. Next, restart the collectorsctl process by running collectorsctl -- +laux.
- Wait for 10–15 minutes and then verify that the TIE events in the SIEM GUI are displayed.
Steps to set Active Response Topic Permissions in ePO:
- Log on to the ePO console using the admin account.
- Select Server Settings.
- Select DXL Topic Authorizations from the side bar.
- Locate the Active Response Server API topic group.
- Verify that the Send Restrictions and Receive Restrictions columns have All Systems or a Tag that's specific to the ERC selected.
- If these settings aren't displayed in the Active Response Server API topic group, click Edit.
- Select the checkbox next to the Active Response Server API topic.
- Use the Actions menu and select Restrict Receiver Tags.
- Deselect everything to allow all systems to get notifications or use a Tag specific to the ERC.
- Verify that both Send Restrictions and Receiver Restrictions are configured correctly.
- Select Server Tasks and run the Manage DXL Brokers task.
- Perform the Wake Up Agent task on the Receiver (ERC) from the ePO console.
- With an SSH session on the SIEM Event Receiver, restart the Receiver services by running NitroStop and NitroStart. You can also try to restart just the collector service by running killall collectorsctl until the collectorsctl process closes. Next, restart the collectorsctl process by running collectorsctl -- +laux.
- Wait for 10–15 minutes and then verify that the TIE events in the SIEM GUI are displayed.