SIEM Integration for True Protection

True Protection by Jag supports integration with Security Information and Event Management (SIEM) platforms, enabling centralized log collection, correlation, and analysis alongside your other security tools.

Supported SIEM Platforms

Splunk: Native integration using the True Protection Splunk App, available on Splunkbase.
Microsoft Sentinel: Direct integration through the Azure Marketplace connector.
Elastic Security: Logstash input plugin for True Protection event data.
IBM QRadar: DSM (Device Support Module) available for log parsing and event mapping.
Generic Syslog: Forward events via Syslog (UDP, TCP, or TLS) to any SIEM that supports standard syslog ingestion.

Configuration

Step 1: In the Management Console, navigate to Settings > Integrations > SIEM.
Step 2: Select your SIEM platform from the list or choose Generic Syslog.
Step 3: Enter the connection details (hostname, port, protocol, and authentication credentials).
Step 4: Select which event categories to forward (threats, policy changes, user actions, system events).
Step 5: Click Test Connection to verify, then Save.

Event Format

True Protection events are transmitted in CEF (Common Event Format) or JSON format. Each event includes a timestamp, severity level, device identifier, event category, and detailed event data. Custom field mappings can be configured for SIEM platforms that require specific field names.