JSA Supported DSMs
JSA can collect events from your security products by using a plugin file that is called a Device Support Module (DSM).
What do you do if the product version or device you have is not listed in the DSM Configuration Guide?
Sometimes a version of a vendor product or a device is not listed as supported. If the product or device is not listed, follow these guidelines:
Version not listed
If the DSM for your product is officially supported by JSA, but your product version is not listed in the Juniper Secure Analytics Configuring DSMs Guide, you have the following options:
Try the DSM to see whether it works. The product versions that are listed in the guide are tested by Juniper, but newer untested versions can also work.
If you tried the DSM and it didn’t work, open a support ticket for a review of the log source to troubleshoot and rule out any potential issues.
Tip:In most cases, no changes are necessary, or perhaps a minor update to the QRadar Identifier (QID) Map might be all that is required. Software updates by vendors might on rare occasions add or change event formats that break the DSM, requiring an RFE for the development of a new integration. This is the only scenario where an RFE is required.
Device not listed
When a device is not officially supported, you have the following options:
Open a request for enhancement (RFE) to have your device become officially supported.
Go to the JSA.
Log in to the support portal page.
Click the Submit tab and type the necessary information.
Tip:If you have event logs from a device, attach the event information and include the product version of the device that generated the event log.
Write a log source extension to parse events for your device. For more information, see Log Source Extensions.
You can use content extensions for sending events to JSA that are provided by some third-party vendors.
The following table lists supported DSMs for third-party and JSA solutions.
Manufacturer |
Device name and version |
Protocol |
Recorded events and formats |
Auto discovered? |
Includes identity? |
Includes custom properties? |
|---|---|---|---|---|---|---|
|
3Com |
8800 Series Switch V3.01.30 |
Syslog |
Status and network condition events |
Yes |
No |
No |
|
AhnLab |
AhnLab Policy Center |
AhnLabPolicy CenterJdbc |
Spyware detection Virus detection Audit |
No |
Yes |
No |
|
Akamai |
Akamai KONA |
HTTP Receiver Akamai Kona REST API |
Warn Rule Events Deny Rule Events Event format: JSON Recorded event types: All security events |
No |
No |
No |
|
Amazon |
Amazon AWS Application Load Balancer Access Logs |
Amazon AWS S3 REST API |
Event format: Space delimited predefined fields Recorded event types: Access logs |
Yes |
No |
No |
|
Amazon |
Amazon AWS Elastic Kubernetes Service Supported version: Kubernetes API 1.19 |
Amazon Web Services |
Event format: JSON Recorded event types: Amazon AWS Kubernetes |
Yes |
No |
No |
|
Amazon |
Amazon AWS Network Firewall |
Amazon AWS S3 REST API |
Event format: JSON Recorded event types: Firewall Alert logs, Firewall Flow logs |
No |
No |
No |
|
Amazon |
Amazon AWS Route 53 |
|
Event format:
Recorded event types: Event versions 1.0 |
Yes | No | No |
|
Amazon |
Amazon AWS Security Hub |
Amazon Web Services |
Event format: JSON Recorded event types: AWS Security Finding Format (ASFF) |
No |
No |
No |
|
Amazon |
Amazon AWS WAF |
Amazon AWS S3 REST API |
Event format: JSON Recorded event types: Traffic allow, Traffic block |
No |
No |
No |
|
Amazon |
Amazon GuardDuty |
Amazon GuardDuty |
Amazon GuardDuty Findings JSON |
No |
No |
No |
|
Amazon |
Amazon AWS CloudTrail |
Amazon AWS S3 REST API |
All version 1.0, 1.02, 1.03, and 1.04 events. |
No |
No |
No |
|
Ambiron |
TrustWave ipAngel V4.0 |
Syslog |
Snort-based events |
No |
No |
No |
|
Apache |
HTTP Server V1.3+ |
Syslog |
HTTP status |
Yes |
No |
No |
|
APC |
UPS |
Syslog |
Smart-UPS series events |
No |
No |
No |
|
Apple |
Apple Mac OS X version 10.12 |
Syslog |
Firewall, web server access, web server error, privilege, and informational events |
No |
Yes |
No |
|
Application Security, Inc. |
DbProtect V6.2, V6.3, V6.3sp1, V6.3.1, and v6.4 |
Syslog |
All events |
Yes |
No |
No |
|
Arbor Networks |
Arbor Networks Pravail APS V3.1+ |
Syslog, TLS Syslog |
All events |
Yes |
No |
No |
|
Arbor Networks |
Arbor Networks Peakflow SP V5.8 to V8.12 |
Syslog, TLS Syslog |
Denial of Service (DoS) Authentication Exploit Suspicious activity System |
Yes |
No |
No |
|
Arpeggio Software |
SIFT-IT V3.1+ |
Syslog |
All events configured in the SIFT-IT rule set |
Yes |
No |
No |
|
Array Networks |
SSL VPN ArraySP V7.3 |
Syslog |
All events |
No |
Yes |
Yes |
|
Aruba Networks |
ClearPass Policy Manager V6.5.0.71095 and above |
Syslog |
LEEF |
Yes |
Yes |
No |
|
Aruba Networks |
Mobility Controllers V2.5 + |
Syslog |
All events |
Yes |
No |
No |
|
Avaya Inc. |
Avaya VPN Gateway V9.0.7.2 |
Syslog |
All events |
Yes |
Yes |
No |
|
BalaBit IT Security |
Microsoft Windows Security Event Log V4.x |
Syslog |
Microsoft Event Log Events |
Yes |
Yes |
No |
|
BalaBit IT Security |
Microsoft ISA V4.x |
Syslog |
Microsoft Event Log Events |
Yes |
Yes |
No |
|
Barracuda Networks |
Spam & Virus Firewall V5.x and later |
Syslog |
All events |
Yes |
No |
No |
|
Barracuda Networks |
Web Application Firewall V7.0.x |
Syslog |
System, web firewall, access, and audit events |
Yes |
No |
No |
|
Barracuda Networks |
Web Filter V6.0.x+ |
Syslog |
Web traffic and web interface events |
Yes |
No |
No |
|
Bit9 |
Carbon Black V5.1 and later |
Syslog |
Watchlist hits |
Yes |
No |
No |
|
Bit9 |
Bit9 Parity |
Syslog |
LEEF |
Yes |
No |
|
|
Bit9 |
Security Platform V6.0.2 and later |
Syslog |
All events |
Yes |
Yes |
No |
|
BlueCat Networks |
Adonis V6.7.1-P2+ |
Syslog |
DNS and DHCP events |
Yes |
No |
No |
|
Blue Coat |
SG V4.x+ |
Syslog Log File Protocol |
All events |
No |
No |
Yes |
|
Blue Coat |
Web Security Service |
Blue Coat ELFF, Access |
No |
No |
No |
|
|
Bridgewater Systems |
AAA V8.2c1 |
Syslog |
All events |
Yes |
Yes |
No |
|
Broadcom |
CA Access Control Facility (ACF2) (Formerly known as CA Technologies ACF2) |
Log File Protocol |
All events |
No |
No |
Yes |
|
Broadcom |
CA Top Secret (Formerly known as CA Technologies Top Secret) |
Log File Protocol |
All events |
No |
No |
Yes |
|
Broadcom |
Symantec SiteMinder (Formerly known as CA SiteMinder) |
Syslog, Log File |
All events |
No |
Yes |
No |
|
Brocade |
Fabric OS V7.x |
Syslog |
System and audit events |
Yes |
No |
No |
|
Centrify |
Centrify Identity Platform |
Centrify Redrock REST API |
Event format: JSON Event types: SaaS, Core, Internal and Mobile |
No |
No |
No |
|
Carbon Black |
Carbon Black V5.1 and later |
Syslog |
Watchlist hits |
Yes |
No |
No |
|
Carbon Black |
Carbon Black Bit9 Parity |
Syslog |
LEEF |
Yes |
No |
|
|
Carbon Black |
Carbon Black Bit9 Security Platform V6.0.2 |
Syslog |
All events |
Yes |
Yes |
No |
|
Centrify |
Centrify Identity Platform |
Centrify Redrock REST API |
Event format: JSON Event types: SaaS, Core, Internal and Mobile |
No |
No |
No |
|
Centrify |
Centrify Infrastructure Services 2017 |
Syslog and WinCollect |
WinCollect logs, Audit events |
Yes |
No |
No |
|
Check Point |
Check Point versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, R80, NGX, and R75 |
Syslog or OPSEC LEA |
All events |
Yes |
Yes |
Yes |
|
Check Point |
VPN-1 versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77 NGX |
Syslog or OPSEC LEA |
All events |
Yes |
Yes |
No |
|
Check Point |
Check Point Multi-Domain Management (Provider-1) versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX |
Syslog or OPSEC LEA |
All events |
Yes |
Yes |
No |
|
Cilasoft |
Cilasoft QJRN/400 V5.14.K+ |
Syslog |
IBM audit events |
Yes |
Yes |
No |
|
Cisco |
4400 Series Wireless LAN Controller V7.2 |
Syslog or SNMPv2 |
All events |
No |
No |
No |
|
Cisco |
Cisco CallManager 8.x, 11.5 |
Syslog |
Application events |
Yes |
No |
No |
|
Cisco |
ACS V4.1 and later if directly from ACS V3.x and later if using ALE |
Syslog |
Failed Access Attempts |
Yes |
Yes |
No |
|
Cisco |
Aironet V4.x+ |
Syslog |
Cisco Emblem Format |
Yes |
No |
No |
|
Cisco |
ACE Firewall V12.2 |
Syslog |
All events |
Yes |
Yes |
No |
|
Cisco |
Cisco AMP |
Cisco AMP |
All security events Note:
Network traffic is supported only for Data Flow Control (DCF) events. |
|||
|
Cisco |
ASA V7.x and later |
Syslog |
All events |
Yes |
Yes |
No |
|
Cisco |
ASA V7.x+ |
NSEL Protocol |
All events |
No |
No |
No |
|
Cisco |
CSA V4.x, V5.x and V6.x |
Syslog SNMPv1 SNMPv2 |
All events |
Yes |
Yes |
No |
|
Cisco |
CatOS for catalyst systems V7.3+ |
Syslog |
All events |
Yes |
Yes |
No |
|
Cisco |
Cloud Web Security (CWS) |
Amazon AWS S3 REST API |
W3C All web usage logs |
No |
No |
No |
|
Cisco |
Cisco Stealthwatch V6.8 |
Syslog |
Event format: LEEF Event types: Anomaly, Data Hoarding, Exploitation, High Concern, Index, High DDoS Source Index, High Target Index, Policy Violation, Recon, High DDoS Target Index, Data Exfilration, C&C |
Yes |
No |
No |
|
Cisco |
IPS V7.1.10 and later, V7.2.x, V7.3.x |
SDEE |
All events |
No |
No |
No |
|
Cisco |
Cisco IronPort V5.5, V6.5, V7.1, V7.5 (adds support for access logs) Cisco IronPort ESA: V10.0 Cisco IronPort WSA: V10.0 |
Syslog, Log File protocol |
Event format: All events Recorded event types: Mail (syslog) System (syslog) Access (syslog) Web content filtering (Log File) |
No |
No |
No |
|
Cisco |
IronPort V5.5, V6.5, V7.1, and V7.5 |
Syslog, Log File Protocol |
All events |
No |
No |
No |
|
Cisco |
FireSIGHT Management Center V4.8.0.2 to V6.0.0 (formerly known as Sourcefire Defense Center) |
FireSIGHT Management Center |
Intrusion events and extra data Correlation events Metadata events Discovery events Host events User events Malware events File events |
No |
No |
No |
|
Cisco |
Cisco Firepower Management Center V5.2 to V6.4 (formerly known as Cisco FireSIGHT Management Center) |
Cisco Firepower eStreamer protocol |
Discovery events Correlation and White List events Impact Flag alerts User activity Malware events File events Connection events Intrusion events Intrusion Event Packet Data Intrustion Event Extra Data |
No |
No |
No |
|
Cisco |
Cisco Firepower Threat Defense |
Syslog |
Event format: Syslog, Comma-separated values (CSV), Name-value pair (NVP) Recorded event types: Intrusion, Connection |
Yes |
Yes |
No |
|
Cisco |
Cisco Firewall Service Module (FWSM) v2.1+ |
Syslog |
All events |
Yes |
Yes |
Yes |
|
Cisco |
Cisco Catalyst Switch IOS, 12.2, 12.5+ |
Syslog |
All events |
Yes |
Yes |
No |
|
Cisco |
Cisco Meraki |
Syslog |
Event format: Syslog Event types: Events Flows security_event_ids_alerted |
|||
|
Cisco |
Cisco NAC Appliance v4.x + |
Syslog |
Audit, error, failure, quarantine, and infected events |
No |
No |
No |
|
Cisco |
Cisco Nexus v6.x |
Syslog |
Nexus-OS events |
Yes |
No |
No |
|
Cisco |
Cisco PIX Firewall v5.x, v6.3+ |
Syslog |
Cisco PIX events |
Yes |
Yes |
Yes |
|
Cisco |
Cisco Identity Services Engine V1.1 to V2.2 |
UDP Multiline Syslog |
Event format: Syslog Event types: Device events |
No |
Yes |
No |
|
Cisco |
Cisco IOS 12.2, 12.5+ |
Syslog |
All events |
Yes |
Yes |
No |
|
Cisco |
Cisco Umbrella |
Amazon AWS S3 REST API |
Event format: Cisco Umbrella CSV Event types: Audit |
No |
No |
No |
|
Cisco |
Cisco VPN 3000 Concentrator versions VPN 3005, 4.1.7.H |
Syslog |
All events |
Yes |
Yes |
Yes |
|
Cisco |
Cisco Wireless Services Modules (WiSM) V 5.1+ |
Syslog |
All events |
Yes |
No |
No |
|
Citrix |
Citrix NetScaler V9.3 to V10.0 |
Syslog |
All events |
Yes |
Yes |
No |
|
Citrix |
Citrix Access Gateway V4.5 |
Syslog |
Access, audit, and diagnostic events |
Yes |
No |
No |
|
Cloudera |
Cloudera Navigator |
Syslog |
Audit events for HDFS, HBase, Hive, Hue, Cloudera Impala, Sentry |
Yes |
No |
No |
|
Cloudflare |
Cloudflare Logs |
Amazon AWS S3 REST API HTTP Receiver |
Event format: JSON Event types: HTTP events, Firewall events |
Yes |
No |
No |
|
CloudPassage |
CloudPassage Halo |
Syslog, Log file |
All events |
Yes |
No |
No |
|
CrowdStrike |
CrowdStrike Falcon |
Syslog LEEF |
Incident summary, Detection summary, Authentication, Detection status update, Uploaded IoCs, Network containment, IP whitelisting, Policy management, CrowdStrike store, Falcon firewall management, Real time response, Event streams |
Yes |
No |
No |
|
CorreLog |
CorreLog Agent for IBMz/OS |
Syslog LEEF |
All events |
Yes |
No |
No |
|
CRYPTOCard |
CRYPTO- Shield V6.3 |
Syslog |
All events |
No |
No |
No |
|
CyberArk |
CyberArk Privileged Threat Analytics V3.1 |
Syslog |
Detected security events |
Yes |
No |
No |
|
CyberArk |
CyberArk Vault V6.x |
Syslog |
All events |
Yes |
Yes |
No |
|
CyberGuard |
Firewall/VPN KS1000 V5.1 |
Syslog |
CyberGuard events |
Yes |
No |
No |
|
Damballa |
Failsafe V5.0.2+ |
Syslog |
All events |
Yes |
No |
No |
|
Digital China Networks |
DCS and DCRS Series switches V1.8.7 |
Syslog |
DCS and DCRS IPv4 events |
No |
No |
No |
|
DG Technology |
DG Technology MEAS |
LEEF Syslog |
Mainframe events |
Yes |
No |
No |
|
ESET |
ESET Remote Administrator V6.4.270 |
Syslog LEEF |
Threat events Firewall Aggregated Event HIPS Aggregated Event Audit events |
Yes |
No |
No |
|
Extreme |
Dragon V5.0, V6.x, V7.1, V7.2, V7.3, and V7.4 |
Syslog SNMPv1 SNMPv3 |
All relevant Extreme Dragon events |
Yes |
No |
No |
|
Extreme |
800-Series Switch |
Syslog |
All events |
Yes |
No |
No |
|
Extreme |
Matrix Router V3.5 |
Syslog SNMPv1 SNMPv2 SNMPv3 |
SNMP and syslog login, logout, and login failed events |
Yes |
No |
No |
|
Extreme |
NetSight Automatic Security Manager V3.1.2 |
Syslog |
All events |
Yes |
No |
No |
|
Extreme |
Matrix N/K/S Series Switch V6.x, V7.x |
Syslog |
All relevant Matrix K-Series, N-Series and S-Series device events |
Yes |
No |
No |
|
Extreme |
Stackable and Standalone Switches |
Syslog |
All events |
Yes |
Yes |
No |
|
Extreme |
XSR Security Router V7.6.14.0002 |
Syslog |
All events |
Yes |
No |
No |
|
Extreme |
HiGuard Wireless IPS 2R2.0.30 |
Syslog |
All events |
Yes |
No |
No |
|
Extreme |
HiPath Wireless Controller 2R2.0.30 |
Syslog |
All events |
Yes |
No |
No |
|
Extreme |
NAC 3.2 and 3.3 |
Syslog |
All events |
Yes |
No |
No |
|
Enterprise-IT-Security.com |
SF-Sherlock 8.1 and later |
LEEF |
All_Checks, DB2_Security_Configuration, JES_Configuration, Job_Entry_System_Attack, Network_Parameter, Network_Security, No_Policy, Resource_Access_Viol, Resource_Allocation, Resource_Protection, Running_System_Change, Running_System_Security, Running_System_Status, Security_Dbase_Scan, Security_Dbase_Specialty, Security_Dbase_Status, Security_Parm_Change, Security_System_Attack, Security_System_Software, Security_System_Status, SF-Sherlock, Sherlock_Diverse, Sherlock_Diverse, Sherlock_Information, Sherlock_Specialties, Storage_Management, Subsystem_Scan, Sysplex_Security, Sysplex_Status, System_Catalog, System_File_Change, System_File_Security, System_File_Specialty, System_Log_Monitoring, System_Module_Security, System_Process_Security, System_Residence, System_Tampering, System_Volumes, TSO_Status, UNIX_OMVS_Security, UNIX_OMVS_System, User_Defined_Monitoring, xx_Resource_Prot_Templ |
Yes |
No |
No |
|
Epic |
Epic SIEM, version Epic 2014, Epic 2015, and Epic 2017 |
LEEF |
Audit, Authentication |
Yes |
Yes |
No |
|
Exabeam |
Exabeam 1.7 and 2.0 |
not applicable |
Critical, Anomalous |
Yes |
No |
No |
|
Extreme Networks |
Extreme Ware 7.7 and XOS 12.4.1.x |
Syslog |
All events |
No |
Yes |
No |
|
F5 Networks |
F5 Networks BIG-IP AFM 11.3 and 12.x to 14.x |
Syslog |
Network, network DoS, protocol security, DNS, and DNS DoS events |
Yes |
No |
No |
|
F5 Networks |
F5 Networks BIG-IP LTM 9.42 to 14.x |
Syslog, CSV |
All events |
No |
Yes |
No |
|
F5 Networks |
F5 Networks BIG-IP ASM 10.1 to 14.x |
Syslog |
Event format: CEF (CEF:0 is supported) Recorded event types: All security events |
No |
Yes |
No |
|
F5 Networks |
F5 Networks BIG-IP APM 10.x to 14.x |
Syslog |
All events |
Yes |
No |
No |
|
F5 Networks |
FirePass 7.0 |
Syslog |
All events |
Yes |
Yes |
No |
|
Fair Warning |
Fair Warning 2.9.2 |
Log File Protocol |
All events |
No |
No |
No |
|
Fasoo |
Fasoo Enterprise DRM 5.0 |
JDBC |
NVP event format Usage events |
No |
No |
No |
|
Fidelis Security Systems |
Fidelis XPS 7.3.x |
Syslog |
Alert events |
Yes |
No |
No |
|
FireEye |
FireEye CMS, MPS, EX, AX, NX, FX, and HX |
Syslog, TLS Syslog |
All relevant events Common Event Format (CEF) formatted messages Log Event Extended Format (LEEF) |
Yes |
No |
No |
|
FreeRADIUS |
FreeRADIUS 2.x |
Syslog |
All events |
Yes |
Yes |
No |
|
Forcepoint |
Forcepoint Sidewinder 6.1 (formerly known as McAfee Firewall Enterprise 6.1) |
Syslog |
Forcepoint Sidewinder audit events |
Yes |
No |
No |
|
Forcepoint |
Stonesoft Management Center 5.4 to 6.1 |
Stonesoft Management Center V5.4 to 6.1 |
Event format: LEEF Event types: Management Center, IPS, Firewall, and VPN events |
Yes |
No |
No |
|
Forcepoint (formerly known as Websense) |
TRITON 7.7, and 8.2 |
Syslog |
All events |
Yes |
No |
No |
|
Forcepoint (formerly known as Websense) |
V-Series Data Security Suite (DSS) 7.1x |
Syslog |
All events |
Yes |
Yes |
Yes |
|
Forcepoint (formerly known as Websense) |
V-Series Content Gateway V7.1x |
Log File Protocol |
All events |
No |
No |
No |
|
ForeScout |
CounterACT 7.x and later |
Syslog |
Denial of Service, system, exploit, authentication, and suspicious events |
No |
No |
No |
|
Fortinet |
Fortinet FortiGate Security Gateway FortiOS 6.4 and earlier |
Syslog Syslog Redirect |
All events |
Yes |
Yes |
Yes |
|
Foundry |
FastIron 3.x.x and 4.x.x |
Syslog |
All events |
Yes |
Yes |
No |
|
genua |
genugate 8.2+ |
Syslog |
General error messages High availability General relay messages Relay-specific messages genua programs/daemons EPSI Accounting Daemon - gg/src/acctd Configfw FWConfig ROFWConfig User-Interface Webserver |
Yes |
Yes |
No |
|
|
Google Cloud Platform Firewall |
Google Cloud Pub/Sub |
Event format: JSON Event types: Firewall Allow, Firewall Deny |
No |
No |
No |
|
|
Google G Suite Activity Reports |
Google G Suite Activity Reports REST API |
Event format: JSON Recorded event types: Admin, drive, login, user accounts |
No |
No |
No |
|
Great Bay |
Beacon |
Syslog |
All events |
Yes |
Yes |
No |
|
H3C Technologies |
H3C Comware Platform, H3C Switches, H3C Routers, H3C Wireless LAN Devices, and H3C IP Security Devices version 7 is supported |
Syslog |
NVP System |
No |
No |
No |
|
HBGary |
Active Defense 1.2 and later |
Syslog |
All events |
Yes |
No |
No |
|
Hewlett Packard Enterprise |
HPE Network Automation 10.11 |
Syslog LEEF |
All operational and configuration network events. |
Yes |
Yes |
No |
|
Hewlett Packard Enterprise |
HPE ProCurve K.14.52 |
Syslog |
All events |
Yes |
No |
No |
|
Hewlett Packard Enterprise |
HPE Tandem |
Log File Protocol |
Safe Guard Audit file events |
No |
No |
No |
|
Hewlett Packard Enterprise |
HPE UX V11.x and later |
Syslog |
All events |
No |
Yes |
No |
|
Honeycomb Technologies |
Lexicon File Integrity Monitor mesh service V3.1 and later |
Syslog |
integrity events |
Yes |
No |
No |
|
Huawei |
S Series Switch S5700, S7700, and S9700 using V200R001C00 |
Syslog |
IPv4 events from S5700, S7700, and S9700 Switches |
No |
No |
No |
|
Huawei |
AR Series Router (AR150, AR200, AR1200, AR2200, and AR3200 routers using V200R002C00) |
Syslog |
IPv4 events |
No |
No |
No |
|
IBM |
IBM AIX V6.1 and V7.1 |
Syslog, Log File protocol |
Configured audit events |
Yes |
No |
No |
|
IBM |
IBM AIX 5.x, 6.x, and v7.x |
Syslog |
Authentication and operating system events |
Yes |
Yes |
No |
|
IBM |
IBM BigFixV8.2.x to 9.5.2 (formerly known as Tivoli EndPoint Manager) |
IBM BigFix SOAP Protocol |
Server events |
No |
No |
No |
|
IBM |
IBM BigFix Detect Note:
The IBM BigFix Detect DSM for JSA is deprecated. |
|||||
|
IBM |
IBM Bluemix Platform (now known as IBM Cloud Platform) |
|||||
| IBM | IBM Cloud Activity Tracker | Apache Kafka protocol | Event format: JSON | Yes | No | No |
| IBM | IBM Cloud Identity (now known as IBM Security Verify) | |||||
| IBM | IBM Cloud Platform (formerly known as IBM Bluemix Platform) | Syslog, TLS Syslog | All System (Cloud Foundry) events, some application events | Yes | No | No |
|
IBM |
IBM DLC Metrics |
Syslog, Forwarded |
Event format: LEEF Recorded event types: All DLC Metrics event types |
Yes |
No |
No |
|
IBM |
IBM Federated Directory Server V7.2.0.2 and later |
LEEF |
FDS Audit |
Yes |
No |
No |
|
IBM |
IBM Guardium 8.2p45 |
Syslog |
Policy builder events |
No |
No |
No |
|
IBM |
IBM i DSM V5R4 and later (formerly known as AS/400iSeries) |
Log File Protocol |
Event format: CEF (CEF:0 is supported) Recorded event types: All security events |
No |
Yes |
No |
|
IBM |
IBM i - Robert Townsend Security Solutions V5R1 and later (formerly known as AS/400iSeries) |
Syslog |
Event format: CEF (CEF:0 is supported) |
Yes |
Yes |
No |
|
IBM |
IBM i - Powertech Interact V5R1 and later (formerly known as AS/400iSeries) |
Syslog |
Event format: CEF (CEF:0 is supported) |
Yes |
Yes |
No |
|
IBM |
IBM ISS Proventia M10 v2.1_2004.1122_15.13.53 |
SNMP |
All events |
No |
No |
No |
|
IBM |
IBM Lotus Domino v8.5 |
SNMP |
All events |
No |
No |
No |
|
IBM |
IBM Proventia Management SiteProtector v2.0 and v2.9 |
JDBC |
IPS and audit events |
No |
No |
No |
|
IBM |
IBM RACF v1.9 to v1.13 |
Log File Protocol |
All events |
No |
No |
Yes |
|
IBM |
IBM CICS v3.1 to v4.2 |
Log File Protocol |
All events |
No |
No |
Yes |
|
IBM |
IBM DB2 v8.1 to v10.1 |
Log File Protocol |
All events |
No |
No |
Yes |
|
IBM |
IBM DataPower FirmwareV6 and V7 (formerly known as WebSphere DataPower) |
Syslog |
All events |
Yes |
No |
No |
|
IBM |
IBM MaaS360 Security (formerly known as IBM Fiberlink MaaS360) |
LEEF |
Compliance rule events Device enrollment events Action history events |
No |
Yes |
No |
|
IBM |
IBM JSA Packet Capture IBM JSA Packet Capture 2014.3 to 2014.8 |
Syslog, LEEF |
All events |
Yes |
No |
No |
|
IBM |
IBM SAN Volume Controller |
Syslog |
CADF event format |
Yes |
No |
No |
|
IBM |
IBM z/OS v1.9 to v1.13 |
Log File Protocol |
All events |
No |
No |
Yes |
|
IBM |
IBM Informix v11 |
Log File Protocol |
All events |
No |
No |
No |
|
IBM |
IBM IMS |
Log File Protocol |
All events |
No |
No |
No |
|
IBM |
Security Identity Governance (ISIG) |
JDBC |
NVP event format Audit event type |
No |
No |
No |
|
IBM |
Security Network Protection (XGS) v5.0 with fixpack 7 to v5.4 |
Syslog |
System, access, and security events |
Yes |
No |
No |
|
IBM |
Security Network IPS v4.6 and later |
Syslog |
Security, health, and system events |
Yes |
No |
No |
|
IBM |
Security Identity Manager 6.0.x and later |
JDBC |
Audit and recertification events |
No |
Yes |
No |
|
IBM |
IBM Security Trusteer |
HTTP Receiver |
Event format: JSON Event types: Trusteer alerts |
Yes |
No |
No |
|
IBM |
IBM Security Trusteer Apex Advanced Malware Protection |
Syslog/LEEF Log File Protocol |
Malware Detection Exploit Detection Data Exfiltration Detection Lockdown for Java Event File Inspection Event Apex Stopped Event Apex Uninstalled Event Policy Changed Event ASLR Violation Event ASLR Enforcement Event Password Protection Event |
Yes |
Yes |
No |
|
IBM |
IBM Sense v1 |
Syslog |
LEEF |
Yes |
No |
No |
|
IBM |
IBM SmartCloud Orchestrator v2.3 FP1 and later |
IBM SmartCloud Orchestrator REST API |
Audit Records |
No |
Yes |
No |
|
IBM |
IBM Security Verify (formerly known as IBM Cloud Identity) |
JSON |
Authentication, SSO, Management |
No |
Yes |
Yes |
|
IBM |
Tivoli Access Manager IBM Web Security Gateway v7.x |
Syslog |
audit, access, and HTTP events |
Yes |
Yes |
No |
|
IBM |
Tivoli Endpoint Manager v8.2.x and later |
IBM Tivoli Endpoint Manager SOAP Protocol |
Server events |
No |
Yes |
No |
|
IBM |
WebSphere Application Server v5.0 to v8.5 |
Log File Protocol |
All events |
No |
Yes |
No |
|
IBM |
WebSphere DataPower (now known as DataPower) WebSphere DataPower |
|||||
|
IBM |
zSecure Alert v1.13.x and later |
UNIX syslog |
Alert events |
Yes |
Yes |
No |
|
IBM |
Security Directory v6.3.1 and later |
Syslog LEEF |
All events |
Yes |
Yes |
No |
|
Illumio |
Illumio Adaptive Security Platform |
Syslog LEEF |
Audit Traffic |
Yes |
No |
No |
|
Imperva |
Incapsula |
LEEF |
Access events and Security alerts |
Yes |
No |
No |
|
Imperva |
SecureSphere v6.2 and v7.x Release Enterprise Edition (Syslog) SecureSphere v9.5 to v11.5 (LEEF) |
Syslog LEEF |
Firewall policy events |
Yes |
No |
No |
|
Infoblox NIOS |
Infoblox NIOS 6.x to 8.x |
Syslog |
ISC Blind Linux DHCP Linux Server Apache |
No |
Yes |
No |
|
Internet Systems Consortium (ISC) |
ISC BIND 9.9, 9.11, 9.12 |
Syslog |
All events |
Yes |
No |
No |
|
Intersect Alliance |
SNARE Enterprise Windows Agent |
Syslog |
Microsoft Event Logs |
Yes |
Yes |
No |
|
iT-CUBE |
agileSI 1.x |
SMB Tail |
AgileSI SAP events |
No |
Yes |
No |
|
Itron |
Openway Smart Meter |
Syslog |
All events |
Yes |
No |
No |
|
Juniper Networks |
AVT |
JDBC |
All events |
No |
No |
Yes |
|
Juniper Networks |
DDoS Secure Juniper Networks DDoS Secure is now known as NCC Group DDoS Secure. |
Syslog |
All events |
Yes |
No |
No |
|
Juniper Networks |
DX The Juniper Networks DX Platform product is end of life (EOL), and is no longer supported by Juniper. |
Syslog |
Status and network condition events |
Yes |
No |
Yes |
|
Juniper Networks |
Infranet Controller The Juniper Networks Infranet Controller DSM for JSA is now known as Pulse Secure Infranet Controller. |
|||||
|
Juniper Networks |
Firewall and VPN v5.5r3 and later |
Syslog |
Juniper Firewall events |
Yes |
Yes |
Yes |
|
Juniper Networks |
Junos OS WebApp Secure v4.2.x |
Syslog |
Incident and access events |
Yes |
No |
No |
|
Juniper Networks |
IDP v4.0, v4.1 & v5.0 |
Syslog |
Juniper IDP events |
Yes |
No |
Yes |
|
Juniper Networks |
Network and Security Manager (NSM) and Juniper SSG v2007.1r2 to 2007.2r2, 2008.r1, 2009r1.1, 2010.x |
Syslog |
Juniper NSM events |
Yes |
No |
Yes |
|
Juniper Networks |
Junos OS 7.x to 10.x Ex Series Ethernet Switch DSM only supports 9.0 to 10.x |
Syslog or PCAP Syslog*** |
All events |
Yes** |
Yes |
Yes |
|
Juniper Networks |
Secure Access RA Juniper Networks Secure Access is now known as Pulse Secure Pulse Connect Secure. |
|||||
|
Juniper Networks |
Juniper Security Binary Log Collector SRX or J Series appliances at 12.1 or above |
Binary |
Audit, system, firewall, and IPS events |
No |
No |
Yes |
|
Juniper Networks |
Steel-Belted Radius 5.x and later |
Syslog |
All events |
Yes |
Yes |
Yes |
|
Juniper Networks |
vGW Virtual Gateway 4.5 The Juniper Networks vGW Virtual Gateway product is end of life (EOL), and is no longer supported by Juniper. |
Syslog |
Firewall, admin, policy and IDS Log events |
Yes |
No |
No |
|
Juniper Networks |
Wireless LAN Controller Wireless LAN devices with Mobility System Software (MSS) V7.6 and later |
Syslog |
All events |
Yes |
No |
No |
|
Kaspersky |
Security Center 9.2 and later |
JDBC, LEEF |
Antivirus, server, and audit events |
No |
Yes |
No |
|
Kaspersky |
Kaspersky CyberTrace |
Syslog |
Detect, Status, Evaluation |
Yes |
No |
No |
|
Kubernetes |
Kubernetes Auditing Supported version: Kubernetes API 1.16 |
Syslog |
Event format: JSON Event types: RequestReceived, ResponseStarted, ResponseComplete |
Yes |
No |
Yes |
|
Kisco |
Kisco Information Systems SafeNet/i 10.11 |
Log File |
All events |
No |
No |
No |
|
Lastline |
Lastline Enterprise 6.0 |
LEEF |
Anti-malware |
Yes |
No |
No |
|
Lieberman |
Random Password Manager 4.8x |
Syslog |
All events |
Yes |
No |
No |
|
LightCyber |
LightCyber Magna 3.9 |
Syslog, LEEF |
C&C, exfilt, lateral, malware and recon |
Yes |
No |
No |
|
Linux |
Open Source Linux OS 2.4 and later |
Syslog |
Operating system events |
Yes |
Yes |
No |
|
Linux |
DHCP Server 2.4 and later |
Syslog |
All events from a DHCP server |
Yes |
Yes |
No |
|
Linux |
IPtables kernel 2.4 and later |
Syslog |
Accept, Drop, or Reject events |
Yes |
No |
No |
|
McAfee |
McAfee Application / Change Control v4.5.x |
JDBC |
Change management events |
No |
Yes |
No |
|
McAfee |
McAfee ePolicy Orchestrator 3.5 to 5.10 |
JDBC: 3.5 to 5.9 SNMPv1, SNMPv2, SNMPv3: 3.5 to 5.9 TLS Syslog: 5.10 |
AntiVirus events |
No |
No |
No |
|
McAfee |
McAfee MVISION Cloud 2.4 and 3.3 (formerly known as Skyhigh Networks Cloud Security Platform |
Syslog |
Event format: Log Event Extended Format (LEEF) Recorded event types: Privilege Access, Insider Threat, Compromised Account, Access, Admin, Data, Policy, and Audit |
Yes |
No |
No |
|
McAfee |
McAfee Network Security Platform 2.x - 5.x Formerly known as McAfee Intrushield) |
Syslog |
Alert notification events |
Yes |
No |
No |
|
McAfee |
McAfee Network Security Platform 6.x - 7.x and 8.x - 10.x Formerly known as McAfee Intrushield) |
Syslog |
Alert and fault notification events |
Yes |
No |
No |
|
McAfee |
McAfee Web 6.0.0 and later |
Syslog, Log File Protocol |
All events |
Yes |
No |
No |
|
MetaInfo |
MetaIP 5.7.00-6059 and later |
Syslog |
All events |
Yes |
Yes |
No |
| Microsoft | Microsoft 365 Defender Note:
The Microsoft Windows Defender ATP DSM is now the Microsoft 365 Defender DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in JSA. |
Microsoft Defender for Endpoint SIEM REST API Microsoft Azure Event Hubs |
Event format: JSON The Microsoft 365 Defender DSM supports the following events when you use the Microsoft Azure Event Hubs protocol: Alerts (Alerts are supported only for Microsoft Defender for Endpoint.):
Device:
Email:
The Microsoft 365 Defender DSM supports the following events when you use the Microsoft Defender for Endpoint REST API protocol:
|
Yes | Yes | No |
|
Microsoft |
Microsoft Azure Active Directory |
Microsoft Azure Event Hubs |
Event format: JSON Recorded event types: Sign-In logs, Audit logs |
Yes |
No |
No |
|
Microsoft |
Microsoft Azure Platform |
Microsoft Azure Event Hubs |
Event format: JSON Recorded event types: Platform level activity logs |
Yes Note:
This DSM automatically discovers only Activity Log Events that are forwarded directly from the Activity Log to the Event Hub. |
No |
No |
|
Microsoft |
Microsoft Azure Security Center |
Microsoft Graph Security API |
Event format: JSON Recorded event types: Security alert |
No |
No |
No |
|
Microsoft |
DNS Debug Supported versions: Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2 |
WinCollect Microsoft DNS Debug |
LEEF |
Yes |
Yes |
No |
|
Microsoft |
IIS 6.0, 7.0 and 8.x |
Syslog and Wincollect |
HTTP status code events |
Yes |
No |
No |
|
Microsoft |
Internet and Acceleration (ISA) Server or Threat Management Gateway 2006 |
Syslog and Wincollect |
ISA or TMG events |
Yes |
No |
No |
|
Microsoft |
Exchange Server 2003, 2007, 2010, 2013, and 2016 |
Windows Exchange Protocol |
Outlook Web Access events (OWA) Simple Mail Transfer Protocol events (SMTP Message Tracking Protocol events (MSGTRK) |
No |
No |
No |
|
Microsoft |
Endpoint Protection 2012 |
JDBC |
Malware detection events |
No |
No |
No |
|
Microsoft |
Hyper V supported versions: Windows Server 2016 Windows Server 2012 (most recent) Windows Server 2012 Core Windows Server 2008 (most recent) Windows Server 2008 Core Windows 10 (most recent) Windows 8 (most recent) Windows 7 (most recent) Windows Vista (most recent) |
WinCollect |
All events |
No |
No |
No |
|
Microsoft |
IAS Server v2000, 2003, and 2008 |
Syslog |
All events |
Yes |
No |
No |
|
Microsoft |
Microsoft Office 365 |
Office 365 REST API |
JSON |
No |
No |
No |
|
Microsoft |
Microsoft Office 365 Message Trace |
Office 365 Message Trace REST API |
Event format: JSON Event types: Email security threat classification |
No |
No |
No |
|
Microsoft |
Microsoft Windows Defender ATP |
Microsoft Defender for Endpoint REST API |
Event format: JSON Event types: Windows Defender ATP Windows Defender AV Third Party TI Customer TI Bitdefender |
No |
No |
No |
|
Microsoft |
Microsoft Windows Event Security Log v2000, 2003, 2008, XP, Vista, and Windows 7 (32 or 64-bit systems supported) supported versions: Windows Server 2016 Windows Server 2012 (most recent) Windows Server 2012 Core Windows Server 2008 (most recent) Windows 10 (most recent) Windows 8 (most recent) Windows 7 (most recent) Windows Vista (most recent) |
Syslog Forwarded TLS Syslog TCP Multiline Syslog Windows Event Log (WMI) Windows Event Log Custom (WMI) MSRPC WinCollect WinCollect NetApp Data ONTAP |
All events, including Sysmon winlogbeats.json |
Yes |
Yes |
Yes |
|
Microsoft |
SQL Server 2008, 2012, 2014 (Enterprise editions only), and 2016 |
Syslog, JDBC and Wincollect |
SQL Audit events |
No |
No |
No |
|
Microsoft |
SharePoint 2010 and 2013 |
JDBC |
SharePoint audit, site, and file events |
No |
No |
No |
|
Microsoft |
DHCP Server 2000/2003 |
Syslog and Wincollect |
All events |
Yes |
Yes |
No |
|
Microsoft |
Operations Manager 2005 |
JDBC |
All events |
No |
No |
No |
|
Microsoft |
System Center Operations Manager 2007 |
JDBC |
All events |
No |
No |
No |
|
Motorola |
Symbol AP firmware 1.1 to 2.1 |
Syslog |
All events |
No |
No |
No |
|
NCC Group |
NCC Group DDos 5.13.1-2s to 516.1-0 |
Syslog |
Event format: LEEF Event types: All events |
Yes |
No |
No |
|
Niara |
Niara 1.6 |
Syslog |
Security System Internal Activity Exfiltration Exfiltration Command & Control |
Yes |
No |
Yes |
|
NetApp |
Data ONTAP |
WinCollect NetApp Data ONTAP |
CIFS events |
Yes |
Yes |
No |
|
Netgate |
Netgate pfSense |
Syslog |
System Firewall DNS DHCP (when you use the Linux DHCP DSM) |
Yes |
Yes |
No |
|
Netskope |
Netskope Active |
Netskope Active REST API |
Alert, All events |
No |
Yes |
No |
|
NGINX |
NGINX HTTP Server 1.15.5 |
Syslog |
Syslog, Standard syslog |
Yes |
No |
No |
|
Niksun |
NetVCR 2005 v3.x |
Syslog |
Niksun events |
No |
No |
No |
|
Nokia |
Firewall NG FP1, FP2, FP3, AI R54, AI R55, NGX on IPSO v3.8 and later |
Syslog or OPSEC LEA |
All events |
Yes |
Yes |
No |
|
Nokia |
VPN-1 NG FP1, FP2, FP3, AI R54, AI R55, NGX on IPSO v3.8 and later |
Syslog or OPSEC LEA |
All events |
Yes |
Yes |
No |
|
Nominum Note:
The Nominum Vantio DSM for JSA is deprecated |
Vantio v5.3 |
Syslog |
All events |
Yes |
No |
No |
|
Nortel |
Contivity |
Syslog |
All events |
Yes |
No |
No |
|
Nortel |
Application Switch v3.2 and later |
Syslog |
Status and network condition events |
No |
Yes |
No |
|
Nortel |
ARN v15.5 |
Syslog |
All events |
Yes |
No |
No |
|
Nortel* |
Ethernet Routing Switch 2500 v4.1 |
Syslog |
All events |
No |
Yes |
No |
|
Nortel* |
Ethernet Routing Switch 4500 v5.1 |
Syslog |
All events |
No |
Yes |
No |
|
Nortel* |
Ethernet Routing Switch 5500 v5.1 |
Syslog |
All events |
No |
Yes |
No |
|
Nortel |
Ethernet Routing Switch 8300 v4.1 |
Syslog |
All events |
No |
Yes |
No |
|
Nortel |
Ethernet Routing Switch 8600 v5.0 |
Syslog |
All events |
No |
Yes |
No |
|
Nortel |
VPN Gateway v6.0, 7.0.1 and later, v8.x |
Syslog |
All events |
Yes |
Yes |
No |
|
Nortel |
Secure Router v9.3, v10.1 |
Syslog |
All events |
Yes |
Yes |
No |
|
Nortel |
Secure Network Access Switch v1.6 and v2.0 |
Syslog |
All events |
Yes |
Yes |
No |
|
Nortel |
Switched Firewall 5100 v2.4 |
Syslog or OPSEC |
All events |
Yes |
Yes |
No |
|
Nortel |
Switched Firewall 6000 v4.2 |
Syslog or OPSEC |
All events |
Yes |
Yes |
No |
|
Nortel |
Threat Protection System v4.6 and v4.7 |
Syslog |
All events |
No |
No |
No |
|
Novell |
eDirectory v2.7 |
Syslog |
All events |
Yes |
No |
No |
|
ObserveIT |
ObserveIT 5.7.x and later |
JDBC |
Alerts User Activity System Events Session Activity DBA Activity |
No |
Yes |
No |
|
Okta |
Okta Identity Management |
Okta REST API |
JSON |
No |
Yes |
No |
|
Onapsis |
Onapsis Security Platform v1.5.8 and later |
Log Event Extended Format (LEEF) |
Assessment Attack signature Correlation Compliance |
Yes |
No |
No |
|
OpenBSD Project |
OpenBSD v4.2 and later |
Syslog |
All events |
No |
Yes |
No |
| Open Information Security Foundation (OISF) | Suratica v6.0.3 and earlier |
Syslog TLS Syslog |
Event format: JSON Recorded event types: Alerts |
Yes | No | No |
|
Open LDAP Foundation |
Open LDAP 2.4.x |
UDP Multiline Syslog |
All events |
No |
No |
No |
|
Open Source |
SNORT v2.x |
Syslog |
All events |
Yes |
No |
No |
|
OpenStack |
OpenStack v2015.1 |
HTTP Reciever |
Audit events |
No |
No |
No |
|
Oracle |
Oracle RDBMS Audit Record versions 9i, 10g, 11g, 12c (includes unified auditing) |
Syslog JDBC |
Event format: Name-Value Pair Recorded event types: Audit records |
No |
Yes |
No |
|
Oracle |
Audit Vault v10.2.3.2 and V12.2 |
JDBC |
All audit records from the AVSYS.AV$ALERT_STORE table for V10.3, or from the custom AVSYS.AV_ALERT_STORE_V view for V12.2. |
No |
Yes |
No |
|
Oracle |
Oracle OS Audit 9i, 10g, and 11g |
Syslog |
Event format: name-value pair (NVP) Event types: Oracle events |
Yes |
Yes |
No |
|
Oracle |
Oracle BEA WebLogic 12.2.1.3.0 |
Log File |
Oracle events |
No |
No |
No |
|
Oracle |
Oracle Database Listener 9i, 10g, and 11g |
Syslog |
Oracle events |
Yes |
No |
No |
|
Oracle |
Oracle Directory Server (Formerly known as Sun ONE LDAP). |
|||||
|
Oracle |
Oracle Fine Grained Auditing 9i and 10g |
JDBC |
Select, insert, delete, or update events for tables configured with a policy |
No |
No |
No |
|
N/A |
osquery 3.3.2 |
Syslog TCP Multiline Syslog |
Event format: JSON Event type: Access Audit Authentication System |
No |
No |
Yes |
|
OSSEC |
OSSEC 2.6 and later |
Syslog |
All relevant |
Yes |
No |
No |
|
Palo Alto Networks |
Palo Alto PA Series |
Syslog TLS Syslog |
Event types: Traffic Threat Config System HIP Match Authentication Tunnel Inspection Correlation SCTP File Data GTP HIP Match IP-Tag Global Protect - Note:
To use this log type, you must enable the EventStatus field on your Palo Alto PA Series device. Event Formats: LEEF for PAN-OS v3.0 to v10.1, and Prisma Access v2.1 CEF for PAN-OS v4.0 to v6.1 (CEF:0 is supported) |
Yes |
Yes |
No |
|
Palo Alto Networks |
Palo Alto Endpoint Security Manager 3.4.2.17401 |
Syslog |
Agent Config Policy Policy Threat Event formats: CEF (CEF:0 is supported), LEEF |
Yes |
No |
No |
|
Pirean |
Access: One 2.2 with DB2 9.7 |
JDBC |
Access management and authentication events |
No |
No |
No |
|
PostFix |
Mail Transfer Agent 2.6.6 and later |
UDP Multiline Protocol or Syslog |
Mail events |
No |
No |
No |
|
ProFTPd |
ProFTPd 1.2.x, 1.3.x |
Syslog |
All events |
Yes |
Yes |
No |
|
Proofpoint |
Proofpoint Enterprise Protection and Enterprise Privacy versions 7.0.2, 7.1, or 7.2 |
Syslog |
System, email audit, email encryption, and email security threat classification events |
No |
No |
No |
|
Pulse Secure |
Pulse Secure Infranet Controller 2.1, 3.1 and 4.0 |
Syslog |
All Events |
No |
Yes |
Yes |
|
Pulse Secure |
Pulse Secure Pulse Connect Secure 8.2R5 |
Syslog TLS Syslog |
Event formats: Admin, Authentication, System, Network, Error Event types: All events |
Yes |
Yes |
Yes |
|
Radware |
AppWall 6.5.2 and 8.2 |
Syslog |
Event format: Vision Log Recorded event types: Administration Audit Learning Security System |
Yes |
No |
No |
|
Radware |
DefensePro 4.23, 5.01, 6.x and 7.x |
Syslog |
All events |
Yes |
No |
No |
|
Raz-Lee iSecurity |
AS/400 iSeries Firewall 15.7 and Audit 11.7 |
Syslog |
Security compliance, firewall, and audit events |
Yes |
Yes |
No |
|
Redback Networks |
ASE 6.1.5 |
Syslog |
All events |
Yes |
No |
No |
|
Resolution1 |
Resolution1 CyberSecurity Formerly known as AccessData InSight Resolution1 CyberSecurity. |
Log file |
Volatile Data, Memory Analysis Data, Memory Acquisition Data, Collection Data, Software Inventory, Process Dump Data, Threat Scan Data, Agent Remediation Data |
No |
No |
No |
|
Riverbed |
SteelCentral NetProfiler |
JDBC |
Alert events |
No |
No |
No |
|
Riverbed |
SteelCentral NetProfiler Audit |
Log file protocol |
Audit events |
No |
Yes |
No |
|
RSA |
Authentication Manager 6.x, 7.x, and 8.x |
v6.x and v7.x use Syslog or Log File Protocol v8.x uses Syslog only |
All events |
No |
No |
No |
|
SafeNet |
DataSecure 6.3.0 and later |
Syslog |
All events |
Yes |
No |
No |
|
Salesforce |
Security Auditing |
Log File |
Setup Audit Records |
No |
No |
No |
|
Salesforce |
Security Monitoring |
Salesforce REST API Protocol |
Login History Account History Case History Entitlement History Service Contract History Contract Line Item History Contract History Contact History Lead History Opportunity History Solution History |
No |
Yes |
No |
|
Samhain Labs |
HIDS 2.4 |
Syslog JDBC |
All events |
Yes |
No |
No |
|
SAP |
SAP Enterprise Threat Detection sp6 |
SAP Enterprise Threat Detection Alert API |
LEEF |
No |
No |
No |
|
Seculert |
Seculert v1 |
Seculert Protection REST API Protocol |
All malware communication events |
No |
No |
No |
|
Seculert |
Seculert |
Seculert protection REST API Protoco |
All malware communication events |
No |
No |
No |
|
Sentrigo |
Hedgehog 2.5.3 |
Syslog |
All events |
Yes |
No |
No |
|
Skyhigh Networks (now known as McAfee) |
Skyhigh Networks Cloud Security Platform 2.4 and 3.3 (now known as McAfee MVISION Cloud 2.4 and 3.3) |
|||||
|
SolarWinds |
SolarWinds Orion 2011.2 |
Syslog |
All events |
Yes |
No |
No |
|
SonicWALL |
UTM/Firewall/VPN Appliance 3.x and later |
Syslog |
All events |
Yes |
No |
No |
|
Sophos |
Sophos Astaro Security Gateway 17.x |
Syslog |
All events |
Yes |
No |
No |
|
Sophos |
Sophos Enterprise Console 4.5.1 and 5.1 |
Sophos Enterprise Console protocol JDBC |
All events |
No |
No |
No |
|
Sophos |
Sophos PureMessage 3.1.0.0 and later for Microsoft Exchange 5.6.0 for Linux |
JDBC |
Quarantined email events |
No |
No |
No |
|
Sophos |
Sophos Web Security Appliance 3.x |
Syslog |
Transaction log events |
Yes |
No |
No |
|
Sourcefire |
Sourcefire Intrusion Sensor IS 500, 2.x, 3.x, 4.x |
Syslog |
All events |
Yes |
No |
No |
|
Sourcefire |
Sourcefire Defense Center (Now known as Cisco FireSIGHT Mangement Center) |
Sourcefire Defense Center |
All events |
No |
No |
No |
|
Splunk |
Microsoft Windows Security Event Log |
Windows-based event provided by Splunk Forwarders |
All events |
No |
Yes |
No |
|
Squid |
Squid Web Proxy 2.5 and later |
Syslog |
All cache and access log events |
Yes |
No |
No |
|
Startent Networks |
Startent Networks |
Syslog |
All events |
Yes |
No |
No |
|
STEALTHbits Technologies |
STEALTHbits File Activity Monitor |
Syslog LEEF |
File Activity Monitor Events |
|||
|
STEALTHbits Technologies |
StealthINTERCEPT |
Syslog LEEF |
Active Directory Audit Events |
Yes |
No |
No |
|
STEALTHbits Technologies |
STEALTHbits StealthINTERCEPT Alerts |
Syslog LEEF |
Active Directory Alerts Events |
Yes |
No |
No |
|
STEALTHbits Technologies |
STEALTHbits StealthINTERCEPT Analytics |
Syslog LEEF |
Active Directory Analytics Events |
Yes |
No |
No |
|
Stonesoft |
Management Center v5.4 |
Syslog |
Management Center, IPS, Firewall, and VPN Events |
Yes |
No |
No |
|
Sun |
Sun Solaris DHCP 2.8 |
Syslog |
All events |
Yes |
Yes |
No |
|
Sun |
Sun Solaris OS 5.8, 5.9 |
Syslog |
All events |
Yes |
Yes |
No |
|
Sun |
Sun Solaris Sendmail 2.x |
Syslog Log File Protocol Proofpoint 7.5 and 8.0 Sendmail log |
All events |
Yes |
No |
No |
|
Sun |
Sun Solaris Basic Security Mode (BSM) 5.10 and 5.11 |
Log File Protocol |
All events |
No |
Yes |
No |
|
Sun |
Sun ONE LDAP v11.1 (Known as Oracle Directory Server) |
Log File Protocol UDP Multiline Syslog |
All relevant access and LDAP events |
No |
No |
No |
|
Sybase |
Sybase ASE 15.0 and later |
JDBC |
All events |
No |
No |
No |
|
Symantec |
Symantec Endpoint Protection 11, 12, and 14 |
Syslog |
All Audit and Security Logs |
Yes |
No |
Yes |
|
Symantec |
Symantec SGS Appliance 3.x and later |
Syslog |
All events |
Yes |
No |
Yes |
|
Symantec |
Symantec SSC 10.1 |
JDBC |
All events |
Yes |
No |
No |
|
Symantec |
Symantec Data Loss Prevention (DLP) 8.x and later |
Syslog |
All events |
No |
No |
No |
|
Symantec |
Symantec Encryption Management Server 3.0x formerly known as PGP Universal Server |
Syslog |
All events |
Yes |
No |
No |
|
Symark |
Symark PowerBroker 4.0 |
Syslog |
All events |
Yes |
No |
No |
|
SysFlow is an open source project initiated by IBM. |
SysFlow 1.0 |
Syslog |
Event format: JSON Recorded event types: SysFlow |
Yes |
No |
No |
|
ThreatGRID |
Malware Threat Intelligence Platform v2.0 |
Log file protocol Syslog |
Malware events |
No |
No |
No |
|
TippingPoint |
Intrusion Prevention System (IPS) 1.4.2 to 3.2.x TippingPoint SMS 5.2.0 |
Syslog |
All events |
No |
No |
No |
|
TippingPoint |
X505/X506 2.5 and later |
Syslog |
All events |
Yes |
Yes |
No |
|
Top Layer |
IPS 5500 4.1 and later |
Syslog |
All events |
Yes |
No |
No |
|
Trend Micro |
Trend Micro Apex Central (version 1) |
Syslog, TLS syslog |
Event format: CEF Event types: Attack discovery detection logs Behavior monitoring logs C&C callback logs Content security logs Data loss prevention logs Device access control logs Endpoint application control logs Engine update status log Network content inspection logs Pattern Update Status Logs Predictive machine learning logs Sandbox detection logs Spyware/Grayware logs Suspicious file logs Virus/Malware logs Web security logs |
Yes |
No |
No |
| Trend Micro |
Trend Micro Apex One 8.x and 10.x Formerly known as Trend Micro Office Scan. The name remains the same in JSA. |
SNMPv2 | All events | No | No | No |
|
Trend Micro |
Trend Micro Control Manager 5.0 or 5.5 with hotfix 1697 or hotfix 1713 after SP1 Patch 1 |
SNMPv1 SNMPv2 SNMPv3 |
All events |
Yes |
No |
No |
|
Trend Micro |
Trend Micro Deep Discovery Analyzer 5.0, 5.5, 5.8 and 6.0 |
LEEF |
All events |
Yes |
No |
No |
|
Trend Micro |
Trend Micro Deep Discovery Email Inspector 3.0 |
Log Event Extended Format (LEEF) |
Detections, Virtual Analyzer Analysis logs, System events, Alert events |
Yes |
No |
No |
|
Trend Micro |
Trend Micro Deep Discovery Inspector 3.0 to 3.8, 5.0 and 5.1 |
Log Event Extended Format (LEEF) |
Malicious content Malicious behavior Suspicious behavior Exploit Grayware Web reputation Disruptive application Sandbox Correlation System Update |
Yes |
No |
No |
|
Trend Micro |
Trend Micro Deep Security 9.6.1532 to 12.0 |
Log Event Extended Format (LEEF) |
Anti-Malware Deep Security Firewall Integrity Monitor Intrusion Prevention Log Inspection System Web Reputation |
Yes |
No |
No |
|
Tripwire |
Enterprise Manager 5.2 and later |
Syslog |
Event format: CEF (CEF:0 is supported) Event types: Resource additions, removal, and modification events |
Yes |
No |
No |
|
Tropos Networks |
Tropos Control 7.7 |
Syslog |
Fault management, login/logout, provision, and device image upload events |
No |
No |
No |
|
Trusteer |
Apex Local Event Aggregator 1304.x and later |
Syslog |
Malware, exploit, and data exfiltration detection events |
Yes |
No |
No |
|
Vectra Networks |
Vectra Networks Vectra 2.2 |
Syslog |
Host scoring, command and control, botnet activity, reconaissance, lateral movement, exfiltration Event format: CEF (CEF:0 is supported) |
Yes |
No |
No |
|
Verdasys |
Digital Guardian 6.0.x (Syslog only) Digital Guardian 6.1.1 and 7.2 (LEEF only) |
Syslog |
Event format: LEEF Events: All events |
Yes |
No |
No |
|
Vericept |
Content 360 up to 8.0 |
Syslog |
All events |
Yes |
No |
No |
|
VMware |
VMware AppDefense 1.0 |
JSON VMWare AppDefense API protocol |
All events |
No |
No |
No |
|
VMware |
Carbon Black App Control 8.0.x to 8.5.x (Formerly known as Carbon Black Protection) |
Syslog |
Event format: LEEF Event types: computer management, server management, session management, policy management, policy enforcement, internal events, general management, discovery |
Yes |
Yes |
No |
|
VMware |
VMware ESX or ESXi 3.5.x, 4.x, 5.x and 6.x |
Syslog VMWare protocol |
Account Information Notice Warning Error System Informational System Configuration System Error User Login Misc Suspicious Event Access Denied License Expired Information Authentication Session Tracking |
Yes if syslog |
No |
No |
|
VMware |
VMware vCenter v5.x and v6.x |
VMWare protocol |
Account Information Notice Warning Error System Informational System Configuration System Error User Login Misc Suspicious Event Access Denied License Expired Information Authentication Session Tracking |
No |
No |
No |
|
VMware |
VMware vCloud Director 5.1- 10.0 |
vCloud Director protocol |
All events |
No |
Yes |
No |
|
VMWare |
VMware vShield |
Syslog |
All events |
Yes |
No |
No |
|
Vormetric, Inc. |
Vormetric Data Security |
Syslog (LEEF) |
Audit Alarm Warn Learn Mode System |
Yes |
No |
No |
|
Watchguard |
WatchGuard Fireware OS |
Syslog |
All events |
Yes |
No |
No |
|
Websense (now known as Forcepoint) |
||||||
|
Zscaler |
Zscaler Nanolog Streaming Service (Zscaler NSS) 6.0 |
Syslog |
Event format: LEEF Event types: Web log events, Firewall Event types: Web log events, Firewall events (including DNS) |
Yes |
No |
No |
|
Zscaler |
Zscaler Private Access |
Syslog |
Event format: LEEF Event types: App Connector Status, Audit, User Status |
Yes |
No |
No |