Chapter 7: Support & Integration
Supporting system requirements, third-party integrations, and ecosystem dependencies for a complete monitoring architecture
A cybersecurity monitoring system does not operate in isolation. Its effectiveness is directly proportional to the breadth and depth of its integrations with the surrounding IT and security ecosystem. The SIEM platform must receive data from network infrastructure, endpoint security tools, identity management systems, cloud platforms, and threat intelligence feeds to provide comprehensive visibility. This chapter defines the supporting system requirements and integration specifications for each ecosystem component.
7.1 Integrated Support Requirements Overview
The following diagram illustrates all supporting systems that must be integrated with the central SIEM platform to achieve full monitoring coverage. Each supporting system connects to the SIEM through a specific protocol and port, providing a distinct category of security telemetry. The integration map serves as the master reference for network firewall rule configuration and integration project planning.
Figure 7.1: Integrated Support Requirements Diagram — All supporting systems integrated with the central SIEM Platform, showing connection protocols and ports for: Network Infrastructure (Syslog/NetFlow), Identity & Access Management (LDAP/API), IT Service Management (REST API), Endpoint Security (Agent/API), Cloud Platforms (CloudTrail/API), Threat Intelligence Feeds (STIX/TAXII), Vulnerability Management (API), and SOAR Platform (Webhook/API).
| Supporting System | Integration Type | Protocol/Port | Data Provided | Integration Priority |
|---|---|---|---|---|
| Network Infrastructure (Firewalls, Switches, Routers) | Log forwarding | Syslog UDP/514, TCP/6514; NetFlow UDP/2055 | Firewall allow/deny, routing changes, flow records | Critical |
| Identity & Access Management (AD, LDAP, IAM) | Directory query + log forwarding | LDAP TCP/389, 636; HTTPS TCP/443 | Authentication events, group membership, privilege changes | Critical |
| IT Service Management (ServiceNow, Jira) | Bidirectional API | REST API HTTPS TCP/443 | Incident tickets, change records, CMDB asset data | High |
| Endpoint Security (EDR, AV, DLP) | Agent + API | Agent TCP/443; HTTPS TCP/443 | Endpoint telemetry, malware detections, DLP violations | Critical |
| Cloud Platforms (AWS, Azure, GCP) | API pull | HTTPS TCP/443 | CloudTrail, Azure Monitor, GCP Logging events | High |
| Threat Intelligence Feeds (MISP, commercial) | STIX/TAXII pull + API | HTTPS TCP/443 | IOC feeds, threat actor profiles, vulnerability intelligence | High |
| Vulnerability Management (Qualys, Tenable) | API pull | HTTPS TCP/443 | Asset vulnerability data, scan results, risk scores | Medium |
| SOAR Platform | Webhook + API | HTTPS TCP/443 | Playbook execution results, case management updates | High |
7.2 Network Infrastructure Integration
Network infrastructure devices — firewalls, routers, switches, and load balancers — are the most fundamental log sources for a cybersecurity monitoring system. These devices generate high-volume, high-value security events that form the backbone of threat detection. The integration must be configured to capture all security-relevant events without overwhelming the log collection infrastructure with routine operational noise.
| Device Type | Critical Log Events | Recommended Log Level | Estimated EPS |
|---|---|---|---|
| Next-Generation Firewall | Allow/deny decisions, IPS alerts, URL filtering, SSL inspection events | Informational (all security events) | 500–5,000 EPS per device |
| Core/Distribution Switch | Port security violations, MAC address changes, STP topology changes, VLAN changes | Warning and above | 10–100 EPS per device |
| Router/WAN Edge | BGP/OSPF changes, ACL hits, interface state changes, routing anomalies | Warning and above | 5–50 EPS per device |
| VPN Gateway | Authentication success/failure, session establishment/termination, policy violations | Informational (all auth events) | 50–500 EPS per device |
| Load Balancer | Connection rate anomalies, health check failures, SSL certificate events | Warning and above | 10–200 EPS per device |
7.3 Cloud Platform Integration
Cloud platform integration presents unique challenges compared to on-premises infrastructure. Cloud providers offer native logging services — AWS CloudTrail, Azure Monitor, and GCP Cloud Logging — that must be configured to forward events to the on-premises SIEM or a cloud-native SIEM instance. The integration architecture must account for the high volume of cloud API calls, the need for cross-account log aggregation in multi-account environments, and the latency introduced by cloud-to-on-premises log forwarding.
| Cloud Provider | Log Service | Critical Log Sources | Integration Method | Typical Latency |
|---|---|---|---|---|
| Amazon Web Services | CloudTrail, VPC Flow Logs, GuardDuty, Security Hub | API calls, network flows, threat detections, security findings | S3 + SQS notification or Kinesis Firehose | 1–5 minutes |
| Microsoft Azure | Azure Monitor, Microsoft Defender, Entra ID Logs | Activity logs, sign-in events, security alerts, resource changes | Event Hub + Log Analytics API | 1–3 minutes |
| Google Cloud Platform | Cloud Logging, Security Command Center, VPC Flow Logs | Admin activity, data access, system events, security findings | Pub/Sub + API pull | 1–5 minutes |