Edit the details of a security event (SIEM) stream. You can change the name of your stream, the group and security configurations you want to monitor, and the destination where your stream uploads logs.

Version management

Every time you edit a stream, you create a new version. This lets you quickly adapt your existing streams to start collecting logs for different properties, modify data set parameters to monitor or change the destinations where they send logs.

While editing an active data stream, you create and activate a version that becomes the version used by this stream. Once you activate the edited version, you can't revert to any previous version. For inactive streams, you can activate the stream upon activation, or save the configuration for later.

When you edit an inactive stream, you can activate it after saving by checking the Activate stream upon saving option, or leaving the box unchecked to save the stream to activate later.

You can keep track of changes to your stream in the Version history panel accessible from the DataStream control panel. On the DataStream main page, you can click Actions · · · History next to the relevant stream.

How to

1. Log in to Control Center using a User ID and Password that have been configured for access to DataStream.

2. Go to COMMON SERVICES > DataStream.

3. On the DataStream page, find the stream that you want to edit, click · · · from the Actions column, and choose Edit to open the Edit stream wizard. See View and manage versions.

🚧

Stream activation status

Editing the stream doesn’t change its activation status. If you’re editing an inactive stream, it stays inactive, unless you choose to Activate the stream upon saving. When editing an active stream, it stays active after saving the changes.

4. In Configuration, you can:

   • Edit the Name of your stream.

   • Change the Group on your contract for which you initially created the stream.

   • Edit the Security configurations you want to monitor in the stream.

   📘

   Tip

   You can add up to 30 configurations in one security log stream. Unavailable configurations (already in 3 streams or with SIEM integration data disabled) are grayed out on the list.

   If you need to enable SIEM integration data for any configuration, click View in Web Security to open your config.

5. Click Next to continue to the Data Sets tab. For SIEM, DataStream logs all security event data sets by default.

   You can hover over each data set field to see the description in the tooltip or go to SIEM API data format in the SIEM user guide for the full list of data set fields with descriptions and examples.

6. Click Next to continue to the Delivery tab. You can edit the destination where the stream sends logs, the Delivery options, and Sampling rate.

   See Stream logs to a destination for steps for every destination and details for other settings.

7. In Summary, review your changes and decide if you want to activate the edited stream:

   • Check the Activate stream upon saving box to deploy the stream and activate it on the production network after saving. It starts streaming data in about 60 minutes from activating.

     or

   • Leave the box unchecked to save the stream configuration and activate it later. Streams start uploading data in about 60 minutes from activating.

8. Optional: Select Receive an email once activation is complete and provide a list of e-mail addresses to get notifications about all actions involving the stream, such as stream activation or deactivation, editing an active or inactive stream, or saving a stream version.

9. Click Save stream to save the stream for later, or save and activate it on the production network. The stream activates if you checked the Activate stream upon saving box in Step 7.

Activating a stream to stream data takes about 60 minutes. For actions to activate the stream later and details on checking the activation status, see Activate or deactivate a stream.