Ingesting RapidIdentity logs into your SIEM/SOAR/MDR solution

There are three options for ingesting RapidIdentity logs into a SIEM (Security Information and Event Management) / SOAR (Security Orchestration, Automation and Response) / MDR (Managed Detection and Response) system(s)

• It is recommended to use the syslog forward capabilities in RapidIdentity you can send an audit log to a syslog server.    

  • We recommend using the identity bridge to forward the data over TLS to an endpoint on your network. If your SIEM is local, then you can point it at a local resource.

  • If your SEIM is cloud based, you can use open source software such as syslog-ng Open Source Edition to perform store and forward as needed.  We recommend discussing this with your SIEM vendor.

  • There is one known limitation which is rarely impactful - messages over 4k will appear as incomplete JSON messages and may be dropped by 3rd Party SIEMs

  • Syslog Configuration provides details to configure RapidIdentity for this.

• You can also use the RapidIdentity Security Connector which is a proprietary pub/sub API we provide that has real time streaming.  This method does come at a premium charge.  additionally your SIEM provider would need to implement to this API to injest the audit events.  This capability is detailed in this article Pub/Sub API

• You can utilize our K-12 specific SIEM/SOAR solution called Security Manager.