The SIEM/SOAR Logs feature allows customers to retrieve all logs and transfer them to other tools, such as Splunk, for further processing.

To receive SIEM/SOAR Logs, administrators need to log into Arctera Insight Management Console and configure the export location for the logs in the Reports and Notifications - Export Logs section.

Supported export options are:

• AWS S3, Azure Blob via the connection string
• Azure Blob via service principal (Microsoft Entra ID)
• SFTP 

After a successful configuration, the Insight Archiving Logs service will dump logs every midnight (DC time zone) into the configured storage.

This service collects the following details:

• Search logs from the Arctera eDiscovery portal
• Message logs, Activity logs, and Browser logs (including Mobile Browser, Discovery Browser, and Personal Browser) from the Arctera Management Console.

The SIEM/SOAR service identifies the collected logs by their name and creation date, and generates a separate CSV file for each log. If the customer has subscribed to this service, these CSV files are securely uploaded to their storage managed by the customer. The service employs the following components:

• APIs that are provided by Amazon/Microsoft Azure/SFTP for uploading the CSV files.
• Advanced Encryption Standard (AES-256) for secured data transmission. Each object is encrypted with a unique data key, providing additional protection for the data.

Note: To ensure seamless and secured data transmission, customers are recommended to set up the necessary firewall rules to accomplish secure data upload to their storage of choice

To view the CSV format of the SIEM/SOAR logs, refer to the attachments included in this article.

<

Understanding different SIEM/SOAR Logs