Security Information and Event Management

Security Information and Event Management (SIEM) allows an administrator to efficiently manage increasing security threats and also comply with regulatory norms. SIEM helps you detect, visualize, scrutinize, and respond to the various threats that risk your organization's data security. Using Zoho Mail you can integrate the audit events logged in Admin Console with your SIEM tool.

Table of Contents

Splunk

Splunk is an analytics-driven SIEM tool that continuously collects high volumes of network and machine data, analyzes, and correlates them in readable form in real time. 

To integrate Splunk with Zoho Mail follow these steps:

  1. Log in to your organization's Splunk account.
  2. Create an event collector token in SplunkThis token must be entered when you configure Splunk in Zoho Mail Admin Console.

Once you generate a token, you can configure Splunk settings in Zoho Mail Admin Console.

Configure Splunk in Zoho Mail

Follow these steps to configure Splunk in Zoho Mail:

  1. Log in to Zoho Mail Admin Console
  2. Choose Other App Settings from the left menu and select SIEM.
  3. Navigate to Splunk and click Configure.
  4. Select the audit event categories in the Selected Categories field.
    select audit log categories
  5. In the Host Address field, add the hostname in which your organization's Splunk instance is running. Please ensure to provide the host address without including 'https://' prefix. The system will automatically add 'https://' to your provided host address. 
  6. Enter the token which you generated in Splunk. Ensure that the HTTP even collector is enabled in the Splunk Global Settings menu.
  7. Click the Add button. The categories that you selected get saved and you can view the audit log data seamlessly in your Splunk account.
    Splunk integration
  8. To modify the audit event categories, add or remove the events in the Selected Categories field, enter the Token and click the Update button.

Note:

  • Your organization's host can run in an on-premise Splunk Enterprise or a Splunk Cloud Platform with a paid plan.
  • Zoho Mail supports only the port value 443 for HTTPS domains which has a valid SSL certificate.

Loggly

Loggly is a cloud based log management and analytical solution that helps organizations manage, analyze, and gain insights from their log data. It supports searching, filtering, and visualizing massive log volumes, making it easier to understand and act upon the information contained in their logs. 

To integrate Loggly with Zoho Mail follow these steps:

  1. Log in to your organization's Loggly account.
  2. Copy your Customer Token from Loggly. This token is a unique identifier for your Loggly account. The Customer Token must be an Active Token.

This token must be entered when you configure Loggly in Zoho Mail Admin Console.

Configure Loggly in Zoho Mail 

Follow these steps to configure Loggly in Zoho Mail:

  1. Log in to Zoho Mail Admin Console
  2. Choose Other App Settings from the left menu and select SIEM.
  3. Navigate to Loggly and click Configure.
    Loggly
  4. Select the audit event categories in the Selected Categories field.
  5. Enter the Token (Customer token) copied from your Loggly account. 
  6. Click the Add button. 
    Loggly intergration
  7. To modify the audit event categories, add or remove the events in the Selected Categories field, enter the Customer Token again if needed and click Update.
  8. Enter the OTP sent to your Loggly account to save the modifications.

The categories that you selected get saved, and you can view the audit log data in your Loggly account.

QRadar

IBM QRadar is a network security management solution that collects, correlates, and  analyzes real-time audit log data to identify and address security threats. It helps organizations manage their network security by providing real-time information and monitoring, alerting for offenses, and responding to potential network threats.

To integrate QRadar with Zoho Mail follow these steps:

Note:

Zoho Mail supports sending event logs from Admin Console to QRadar only through the HTTP Receiver protocol configuration, with a valid SSL certificate issued by a certificate authority (CA). For more information, click here.

  1. Log in to your organization's QRadar account.
  2. Navigate to Log Source Management App to create a new HTTP Receiver log source.
  3. Create a new HTTP Receiver protocol log source in the New log source section.
  4. Ensure that your QRadar account has an open inbound Port 12469  for seamless reception of data.

Once the HTTP Receiver Log Source has been configured and deployed in QRadar, you can configure QRadar settings in Zoho Mail Admin Console.

Configure Qradar in Zoho Mail

Follow these steps to configure QRadar in Zoho Mail:

  1. Log in to Zoho Mail Admin Console
  2. Choose Other App Settings from the left menu and select SIEM.
  3. Navigate to QRadar and click Configure.
    Qradar
  4. Select the audit event categories in the Selected Categories field.
  5. Enter the Https Receiver Protocol Configuration URL from your QRadar account in the URL field. 
  6. Click the Add button.
    qradar configuration
  7. To modify the audit event categories, add or remove the events in the Selected Categories field, and click Update.
  8. Enter the OTP sent to your QRadar account to save the modifications.

The categories that you selected get saved and can be viewed in your QRadar account.

Webhooks

In Zoho Mail, Webhooks provide a flexible and adaptable alternative if the SIEM tool you are attempting to integrate is not directly supported, to ensure seamless event data transmission and integration with the SIEM tool. This adaptability allows you to maintain effective log management and event monitoring, even when dealing with SIEM tools that may not have native support. Our webhooks serve as a bridge, enabling you to send event data from Admin Console to your preferred SIEM infrastructure.

Follow the below steps to configure Webhooks: 

  1. Log in to Zoho Mail Admin Console
  2. Choose Other App Settings from the left menu and select SIEM.
  3. Navigate to Webhooks and click Configure.
    Webhooks
  4. Select the audit event categories in the Selected Categories field.
  5. Enter a Name for the webhook.
  6. Select the Data Format from the drop-down.
    • JSONARRAY
    • NDJSON
  7. Enter the webhook URL that will receive the incoming data in the Listener URL field.
  8. Enter the required Custom Header name and Custom Header value from the SIEM tool in the Custom Headers field.
  9. Click the Add button.
    webhook configuration
  10. To modify the audit event categories, add or remove the events in the Selected Categories field and click Update.
  11. Enter the OTP sent to your configured application to save the modifications.

Manage SIEM Configurations

Enable/ Disable Integration

Based on your organization's needs, you can disable an Integration whenever it is not needed. Navigate to your preferred Integration page, and select the Integration toggle button, and click the Disable button. This allows you to enable the same configuration at a later stage.
disable splunk integration in Zoho Mail

Remove Configuration

 If you no longer need an configuration, select Remove Configuration in the respective Integration page and click the Remove button in the pop-up that appears.
remove configuration

Note:

  • Be cautious when you configure your SIEM applications in Zoho Mail. By doing this, you agree to share your organization's data from Admin Console with other applications.
  • The SIEM Integration is introduced as a BETA version and will be available for organizations that use one of Zoho Mail's paid plans.

Still can't find what you're looking for?

Write to us: support@zohomail.com