Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Security Information and Event Management (SIEM) integration

Author: GDS

Security Information and Event Management (SIEM) integration

Direct integration with your organisation’s Security Information and Event Management (SIEM) system will allow you to receive all the misconfiguration and vulnerability data collected by the Government Digital Service (GDS).

You will be able to create automatic alerts about the issues we share with you and view them on a dashboard to make it easier to monitor, prioritise and respond.

Available integrations

GDS currently provides integrations with:

  • Logpoint
  • Microsoft Sentinel
  • Splunk

We select integrations where the SIEM is able to ingest data without substantial changes to our export formats and through our common paths which are:

  • AWS SQS Queue and S3 bucket
  • AWS S3 bucket directly
  • API

Integrating with the data feed

Data feeds are configured to work with particular SIEM systems. You can use our guidance to configure your integration:

  • Splunk
  • Microsoft Sentinel
  • Logpoint

We can also help you with the implementation to make sure the data feed is presented correctly and any dashboards and alerts are set up properly.

GDS cannot customise data for individual organisations and you will only be able to see your own organisation’s data feed.

Frequency of reporting

Monitoring occurs throughout the day and data exported to SIEM integrations is updated every 6 hours.

There will always be a gap between the detection of an issue and it being reported through the SIEM integration. Always check if an issue still exists before acting on it, to make sure it is still active.

We will let you know about updates, important announcements and escalation processes by email.

Reporting issues

If you have any issues with the data feed, you can report them by emailing  support@domains.gov.uk, for example:

  • service disruptions
  • unusual alert patterns
  • false positives
  • miscategorised issues, or issues with the wrong impact rating

We will manage any issues you report using our internal management processes. We aim to resolve urgent issues as quickly as possible, and will give you a clear timeline for resolving it based on the priority of the issue.

Roles and responsibilities

We will tell you if there are changes that might affect the SIEM connection. For example changes to data format, dashboard, or feed timings.

We will also:

  • monitor UK public sector domains
  • provide regular, prioritised vulnerability data
  • make sure our data feed to your SIEM is stable and secure
  • respond in a timely way to any issues you report
  • offer you technical guidance on managing vulnerabilities

We ask you to:

  • maintain your SIEM technical environment so that it can receive and action alerts from the data feed
  • make sure your security team monitors and acts on high and critical priority vulnerabilities
  • tell us about any changes to your registered domains and sub-domains
  • report any data feed issues promptly to GDS
  • make sure GDS has an up to date contact list in case of issues

Contact

If you need more information email support@domains.gov.uk.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now