Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to View Endpoint LogsHow to Use Audit LogsHow to Use Agent LogsWhere to Find PostgreSQL LogsAdvanced Log and Log Location Information for Power UsersWhat are common errors shown in the Agent Log and how do I fix them?Can I Export Agent Log Data for External Analysis?Can I export Audit Log data for External Analysis?How do I export Audit Log data via the Web API?Can I customize which events appear in the Audit Log?Can I schedule automated exports of Audit Log data?Is there a sample script for API-based audit log export?Guide to Analyzing Logs and Generating Graphs in Time IntervalsIs There a Sample Script for Exporting Agent Log Data?What are Best Practices for Managing Large Log Exports?Is There an Example of Filtering Logs by Severity?What are best practices for storing and securing exported log data?What Tools Integrate Well with Spirion for Log Integrity VerificationIs There a Sample Script for Hash Verification?
PowerBI
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

What Tools Integrate Well with Spirion for Log Integrity Verification

Multiple external tools can be used to verify the integrity of your exported Spirion logs.

To verify the integrity of your exported Spirion logs, you should integrate with tools that support hashing, immutable storage, and automated forensic analysis. While Spirion provides the data, these external tools ensure that the data remains a trustworthy "System of Record."

1. SIEM Platforms (Aggregation & Forensics)

SIEMs are the primary tools for log integrity. They ingest Spirion logs and provide built-in mechanisms to detect tampering.

  • Splunk Enterprise & Cloud: Spirion has a Tier 1 integration with Splunk. You can use the Spirion Web API to feed logs into Splunk, which then uses its own internal indexing and hashing to ensure that once a log is ingested, it cannot be altered without detection.
  • Microsoft Sentinel: As a cloud-native SIEM, Sentinel uses Azure Monitor Logs, which supports data integrity through ingestion-time timestamps and non-editable storage buckets.
  • LogRhythm: Spirion supports log aggregation to LogRhythm for forensic investigations, allowing you to correlate Spirion administrative actions with other network events.

2. SOAR Platforms (Automated Verification)

SOAR tools can automate the "integrity check" process by running scripts that verify hashes or check for gaps in log sequences.

  • Siemplify (Google Chronicle SOAR): You can use Siemplify to create a playbook that automatically pulls Spirion logs, generates a hash, and compares it against a "known good" state or stores it in a secure ledger.
  • Palo Alto Cortex XSOAR: Similar to Siemplify, Cortex can be used to automate the verification of log exports and alert your SOC if any "log gaps" (missing sequence numbers or timestamps) are detected.

3. Immutable Storage (WORM)

To ensure logs cannot be deleted or modified after export, use storage solutions that support Write Once, Read Many (WORM) policies.

  • Amazon S3 (Object Lock): You can export Spirion logs to an S3 bucket with Object Lock enabled in "Compliance Mode." This prevents anyone—including the root user—from deleting or overwriting the logs for a fixed duration.
  • Azure Blob Storage (Immutable Storage): Similar to S3, Azure provides time-based retention policies that make the exported log files immutable.

4. Hashing & Scripting Tools

If you are building a custom export pipeline, you can use standard cryptographic tools to verify integrity.

  • Python (hashlib): As shown in previous examples, you can use Python's hashlib to generate a SHA-256 hash of every exported log file.
  • OpenSSL: You can use OpenSSL to digitally sign your log batches before they are moved to long-term storage, ensuring that the "sender" (your export script) is authenticated and the data is unchanged.

Recommendations

  • The "Double-Hash" Strategy: Generate a hash of the log file immediately after the API export and store that hash in a separate, highly restricted database. When you perform an audit, re-hash the log file and compare it to the stored value.
  • Use Correlation IDs: Spirion logs include a correlationId. Use your SIEM to ensure that every "Start" event has a corresponding "End" or "Success" event. A "Start" without an "End" can indicate that logs were deleted or the process was tampered with.
  • Monitor API Access: Use the Audit Log within the Spirion Console to monitor the service account performing the exports. If you see "Failed Login" attempts or "Unauthorized" errors for that account, it may indicate an attempt to disrupt the log integrity chain.

Summary

For robust log integrity, integrate Spirion with Splunk or Sentinel for ingestion, use Amazon S3 Object Lock for immutable storage, and leverage SOAR platforms like Siemplify to automate the verification of hashes and sequence continuity.

Was this article helpful?

Powered by Product Fruits